2021 Insights And Predictions, Part I

2021 Insights And Predictions, Part I

2021 Insights And Predictions, Part I - Ep. 112

We review 2020's top government cybersecurity trends, starting with Cozy Bear. We then look forward to what we think the big trends for 2021 will be with Mike Gruss, Executive Editor, Defense News, and C4ISRNET  &  Phil Goldstein Sr. editor for FedTech and StateTech.

Episode Table of Contents

  • [01:01] What Happened in 2020 in Cybersecurity
  • [07:36] 2021 Insights on the Long-Term Impacts of COVID
  • [16:07] 2021 Insights on the Long-Time Conflicts in Technology
  • [28:16] How a Foreign Adversary Can Sow Disinformation
  • [29:07] 2021 Insights on the Things We Can Do to Improve Cybersecurity
  • About Our Guests

What Happened in 2020 in Cybersecurity

Eric: Good morning, Carolyn. We had Cozy Bear reportedly discovered. It’ll be one of the most significant efforts against the U.S. Government in this early part of the decade.

Carolyn: Way to tee up our show. Today, we're going to talk about what's happened in 2020 in cybersecurity. The biggest things that have happened, and then what our predictions are for 2021. We got Mike Gruss, Executive Editor at Defense News and C4ISRNET at Sightline Media, back with us. Hi, Mike. We also have Phil Goldstein, Senior Editor for FedTech and StateTech.

Eric: Gentlemen, before we kick-off, I'd love to say one thing. In our podcasts over the last two years, the media side of the house is universally the most well-rounded. It’s the most informed on these cybersecurity types of issues we talk about. I can't explain why, other than I know you're looking at all sides of it. You do a ton of investigative reporting. I've just found that it's the case and it's been great to talk. So, I'm so glad you're here.

Carolyn: I agree. You guys have your finger on the pulse of what's happening and it's really well-rounded. I just want to jump right in, just like Eric already teed this up to Cozy Bear. Eric, talk about Cozy Bear.

Eric: We'll try to get this podcast out as quickly as possible, we're not holding you to anything. It is Monday, 11:24, December 14th. The government just released the SolarWinds, Orion Code Compromise and how to mitigate that. It's, as I mentioned, 11:24 Eastern Time.

Breaking Information and 2021 Insights

Eric: All civilian governments have been mandated to shut down their SolarWinds Orion products and systems by noon today. Let’s talk about that a little bit, what your thoughts are, recognizing this is breaking information. There hasn't been a lot released, we don't know.

Eric: Phil, I'll throw it to you. Orion, SolarWinds is a very well-distributed and used product across the government. Where do we go?

Phil: The early reporting suggests the two confirmed agencies that we know. The exploit used to monitor their email traffic is the Treasury Department and an element of the Commerce Department, NTIA. As we were talking about before we started recording, it's quite likely that we don't know the full extent of this.

Phil: The malicious actors in this case, Cozy Bear, Russian intelligence, could’ve had quite wide access across the federal government. Since this tool is so widely used and distributed. I don't think that we can speculate at this point how much this has impacted the defense and intelligence community. But I don't think that we can put anything off the table at this point.

Eric: They're well-deployed across the DoD side of the house.

Mike: That's true. This is one of those areas where you kind of expect trust. Eric, you've read about this a little more than we have, but this came through updates and patches. That's part of where the vulnerability came in?

Eric: That's what the early reporting is saying. The government just announced this yesterday on the 13th. We don't know, but let's pretend for a second. Who cares if it did or did not? Obviously, we care, but it could happen. We've been talking about this as an industry for a long time.

An Avenue of Attack

Eric: It is an avenue, an attack vector, an avenue of attack. The early reporting suggested it was manually inserted as part of the supply chain, the software supply chain. I've worked for an OEM my whole career, really, since leaving the military. That's a huge risk. You have somebody come in who's trusted on the network, insert something into your software that allows them to access it.

Eric: FireEye had a really good report on this they just put out yesterday. They talk about it, it went dormant for up to two weeks. Then it retrieved and executed commands called "jobs" that included the ability to transfer files. Execute files, profile the system, reboot the machine, and disable system services. Those are the crown jewels once you're in the network.

Phil: They said it constituted, and I'm quoting from a New York Times article. Quoting FireEye, "top-tier operational tradecraft," and I think that's true. We've written on FedTech the importance of IT and ICT supply chain security. How important it is that federal customers trust the security protocols. All the way up and down the supply chain from their vendor partners.

Phil: This also coincides at a time when, for the defense community, we're moving to the CMMC standards for defense contracting. To make sure that defense contractors are meeting minimum standards for security. So, this is only going to grow in importance as we move into the new year, this idea of software supply chain security, IT supply chain security.

Eric: I agree with you, Phil. Plus, the other thing we didn't mention, this is coming off of last week. FireEye Mandiant reported that their Red Team Tools were stolen. Are they related or are they not?

2021 Insights on the Long-Term Impacts of COVID

Eric: The early reports are saying APT29 Cozy Bear. We'll find out over time, but this is going to be a problem that isn't just this incident. This is going to continue.

Mike: I think the initial reporting has said that this happened, what, early summer? Late spring?

Eric: Early spring. We're talking right in the midst of COVID and everything else.

Mike: We're super early today, but I think of the long-term impacts here. One is, sometimes we hear, "Oh, the threat's evolving," and "The threat's moving fast." You say, "Yes, I know, but what we're doing is revolutionary." But how many times have we heard about, "Hey, we have to be able to identify faster." And "We have to be able to identify when there's a threat to the network."

Mike: "Within a minute, or 10 minutes, or an hour," whatever that conversation is. Then we have to make sure someone's out of the network immediately and having this kind of lingering, this time. If there’s any kind of silver lining maybe it will reinforce some of these core tenants of cybersecurity.

Mike: We've been talking about it for so long, that the threat is evolving. Folks are on the networks entirely too long. That as much as we think there's been an improvement, there's still a really long way to go. If this is Russia, which is what the initial reporting is, they're on top of their game right now.

Phil: Another lesson is that you can't take your eye off the ball. Even though 2020 was dominated and has been dominated by two big stories. CISA, within the federal government, and then the wider federal government.

Huge Roles in the Pandemic

Phil: They obviously had huge roles in the pandemic, first and foremost, and then the 2020 election. A ton of government attention, resources, paid to securing the election. Securing health data and vaccine data and scientific research around the development of coronavirus vaccines.

Phil: All of that was necessary. But clearly this went unnoticed for six, seven, eight months, and maybe longer, you cannot take your eye off the ball. You can't take your eye off the ways in which intrusions can come in that are not the most obvious things. Even though the IT supply chain has been a top concern within the government for several years now.

Eric: "Top-tier tradecraft." Carolyn, do you remember Dickie George from Johns Hopkins APL? He was on the podcast, one of our, probably first half years. I used to talk to him a lot. He went through the Cold War, and he said, "Never take your eye off the Russians. They're so good at what they do."

Eric: That's what we're seeing here. I did some research this morning on SolarWinds, I didn't know it as well as I should have. What a rich target. If you're going to pick somebody, when you look at the Orion product, it's their enterprise management and monitoring capability.

Eric: I feel for these guys, they do it all. They do virtualization management, IP address tracking, server and application configuration. Application and infrastructure monitoring and tracking, device tracking, network bandwidth analysis. What a rich target to get into the operation. Surveil it.

Carolyn: Phil, your point of our eye was all on the vaccine. That's what we're all worried about, and it left us, this is our blind side.

2021 Insights on How Remote Work Has Accelerated the Move to the Cloud

Carolyn: The speed of which we've got to get to better cybersecurity, that actually brings us to the first prediction that I want to talk about after we've moved past Cozy Bear for a minute which we won't move past this for a long time.

Carolyn: The first prediction is about how remote work has accelerated the move to the cloud. Security in the past has kind of been maybe "shoehorned in," to quote Nico Popp that wrote this prediction. We've got to get to a place with cybersecurity where it's an enabling engine and that it is the foundation. That accelerates and pivots us to the cloud.

Carolyn: We can take advantage of the speed, the scale, and the resilience of digital transformation. Nico Popp's prediction is zero-trust architectures from Gartner and Forrester, they're just going to be accelerated, they're going to be implemented faster, and have we seen that in government?

Mike: If we're talking specifically about zero trust, can you go to a sales meeting? Can you go to any kind of government virtual event or any speech and not have that included? It's just a crazy level of ubiquitousness that we're hearing when it comes to zero trust. I think that will continue to accelerate. What Nico was saying, which I was kind of interested in, was "Hey, cybersecurity is moving up the food chain."

Mike: We could have had this discussion last year or maybe two years ago, or five or 10 years ago. I think we've seen varying levels of responsibility and budget that have come as it becomes more important. We've already kind of talked about it today.

Very Pop-Culture References

Mike: You can go ask your neighbor, "Who's Chris Krebs?" They know now. People know who Chris Krebs is. I'm a big fan of WIRED magazine. They ran an eight-page profile of General Nakasone this year. We're in Northern Virginia, you talk about the school hacking that's going on there.

Mike: You talked about in the defense world, even European defense ministers had their Zoom hacked. Those are all very pop-culture, very broad references. But when you can see that, it doubles-downs for folks how important all of this is. So you will see more leaders saying, "Hey, this can't happen. We can't continue in this way."

Mike: The second part of that is leaders saying, "How come so-and-so can do this and we can't?" This old argument, particularly in the defense world, where someone holds up their iPhone. He says, "How come I can do this with my phone but I can't do it on the base or somewhere else?"

Mike: And I think we're starting to see that a little bit with, and I know Nico talked about this, but with security, too. Think back to the early days of the pandemic. In the Pentagon, at least, there were tons of offices that weren't on Zoom. They said, "Hey, we're only going to be on WebEx," "We're only going to be on our own video conference."

Carolyn: We're still seeing that, Mike. There's a lot of people in the government that we can't get to them on Zoom.

Mike: But then there's a whole shift, whole offices that said, "Yeah, we are going to make this work. We can use Zoom." Even within the services, certain offices within certain services.

2021 Insights on the Long-Time Conflicts in Technology

Mike: Other services would say, "No, we're not going to touch it." I thought he raised a really good point there. Nico did, by saying and I'm kind of rolling my eyes here, that "you do want the security baked in." And you don't want to have to think about it. I think there is going to be this frustration. That, if you have a secure system and get the job done, that might not be good enough. I think that's where the conflict is going to be.

Eric: There's a blank.

Mike: I think that’s what's going to really show up in 2021. It’s "I need to get the job done no matter what because I'm working from home," or "I'm remote." But it needs to be intuitive and it has to be easy. That's a long-time conflict in technology, but I think it will be very prevalent in 2021.

Eric: As he says, "It just needs to work." Like Zoom. It's just got to be there when you need it, assuming your Google Fiber is working.

Carolyn: Mission beats all.

Eric: But you got to have security wrapped. It's got to work, it's got to be built in, it's got to be stealthy, it's got to support you. You've got to be able to do your job, complete your mission, but safely.

Carolyn: How's that going to look in the government?

Mike: There's going to be a couple of things. One, it's not going to work and we're just going to see folks say, "Hey, I'm not going to do Zoom.” Or "I'm not going to be on video conference," or "You'll have to talk to me on the phone."

More Complicated and Less User-Intuitive Systems

Mike: You're going to have to use more complicated, maybe less user-intuitive systems. That's been happening for a long time, so I think people are willing to do that. But there's going to be a real conflict there. You won't see people just saying, "Well, the security protocols say this, but my general wants X." That's where things are going to come to a head.

Eric: I think we can build in security if we look at what CMMC is trying to do. Look at the awareness that we just spoke about. There are things we can do to make things a lot more secure, a lot better, without constricting usability. I really do think we can do such a better job. We just aren't doing it.

Mike: That's where the opportunity comes from. That's why there are so many folks, industry who see that this creates an opportunity for them. It's not just, "Woe is me."

Eric: I just wish we'd move faster.

Mike: Who doesn't?

Carolyn: All right, let's go on to the next one. This one is the disinformation, which scares the hell out of me, to be honest.

Eric: Disinformation, this was mine. Thinking about it, I've been doing a lot of speaking on it. This, to me, is one of the larger issues of our time. Phil, you and Mike probably have a much better perspective than I do, being journalists, being from the media side. We see adversaries weaving factual data with false data, falsehoods.

Eric: When we see the adversaries creating protests from Russia or from wherever, it's like the "Pick on Russia" episode. When you see people putting data out there that's believable, or that people want to believe, it becomes the new information.

Disinformation Is the New Information

Eric: The line for this as I wrote it up was "disinformation is the new information." That's what people believe.

Phil: I don't want to get too political. But to a very large degree, the call is coming from inside the House. It's pretty undeniable at this point. Look at the way that platforms like Twitter, for instance, have reacted to claims. That President Trump has made about election fraud, that he himself is a large vector for disinformation. Things have gotten so bad.

Phil: The New York Times now has a section on their website called "Data Distortions" to track misinformation and disinformation. Actually, it's called "Daily Distortions," my apologies. They track what's gone viral online this week. It covers everything from disinformation about the election to the coronavirus vaccine. You've seen some technology companies take some steps to try to combat the spread.

Phil: For example, YouTube said recently that they're going to forbid the uploading of new videos. Videos that claim there was widespread fraud election that were uploaded before the safe harbor deadline, which was December 8th. It would remain on YouTube with the company kind of putting something on the video. Something linking to official results about the certifications.

Phil: I was reading an interesting article in doing some research on this from FiveThirtyEight. It’s about how the President primed a large percentage of the Republican Party to believe disinformation about the election. But the pandemic has kind of accelerated anxieties of all kinds in American life. That article was quoting a person, Oliver Robinson.

Phil: He is a neuroscientist who runs the Neuroscience and Mental Health Group's Anxiety Lab at University College London.

How Conspiracy Theories Flourish Based on the 2021 Insights

Phil: He said, "People are anxious, and so they're looking for answers. Some of those answers in this case are provided by disinformation."

Eric: So, people are basically saying people have this anxiety buildup and they're just looking for things. They want to believe something, they want to believe what they hear in some cases, if you lean one way or another.

Phil: Confirmation bias and believing in something that helps you make sense of a very chaotic world right now. Something that helps calm yourself down. Also something that makes you feel like you, as an individual, have deeper insight or knowledge that nobody else does.

Eric: Or you belong to a community that you can bond with that gives you some fulfillment.

Phil: That's how conspiracy theories flourish. As we look ahead to next year, I don't know exactly how you put the genie back in the bottle. I don't think it can be put back in the bottle. You can only try to mitigate the spread and that comes from having more responsible leaders from technology companies being more proactive to stamp this out.

Phil: Because you could try to take a video down or block something, but by the time you get to it it's already spread. The damage is done and it's spread on that platform. It's probably spread off that platform onto another platform that has far fewer scruples about allowing that kind of content.

Eric: I'm writing a piece on this right now, but CISA has released a disinformation toolkit that I found to be pretty good on COVID-19.

How a Foreign Adversary Can Sow Disinformation

Eric: I was talking to our PR team about what a CISO or a CIO do at an agency to ensure that the information put out is accurate and they are the reputable source. As opposed to going to YouTube or Facebook or wherever you may want to go.

Eric: But CISA also has, it's pretty crafty, they use pizza in an example and they've got an evergreen infographic. It's pretty good to talk about how a foreign adversary could sow disinformation. They do what I would consider a really good apolitical job of saying, "Hey, this is what's happening. So, be aware."  CISA infographic: https://www.dhs.gov/sites/default/files/publications/19_0717_cisa_the-war-on-pineapple-understanding-foreign-interference-in-5-steps.pdf

Mike: From a military perspective, too. This kind of ties into the first two predictions here. We saw the Air Force in the last year reorganize what's called Sixteenth Air Force. It's now an information warfare command that oversees some of the Air Force's cyber units. One of the things they talk a lot about is deniable plausibility. Being able to essentially show their work and being able to put that information out there.

Mike: If someone else says, if another nation says, "Hey, this is going on," you can say, "No, it's not. Here's how we determined that this is not what's happening." We'll see a lot more movement in that area, but also this kind of "show your work." Working it out a little bit more in public so that folks can believe what's happening.

Eric: They know what to believe. Like I said, I wrote this when I did a ton of information research and thinking. Really, the thinking is the piece I spent a lot of time on. Imagine World War II up through, what, '43, the allies were not on good footing.

2021 Insights on Globalization, Internet, and Disinformation

Eric: Imagine the adversary, the Germans and the Japanese in this case. If they had the ability to pollute the American people's minds on the home front, what that might've done. That's really, with globalization, with the internet, with disinformation, that's going to be a big part of the next war. And that's going to be a big problem.

Carolyn: It just takes a little piece. I saw during pre-election, Biden was in Florida, but the sign behind him said, "Welcome Pennsylvania." It’s the wrong state. It wasn't real, it wasn't true. It’s misinformation, it was a fake. It was just enough to make him look like he was dumb, like they got it wrong. Those little seeds of doubt are what get to most of us. We're like, "Well, yeah, maybe there’s going to be a nanobot in the vaccine that's going to control my brain." I kid you not, I have people in my family that think this.

Phil: We saw there was a lot of fear before the election that deep fake videos were going to play this big role. They were out there, but they didn't play nearly as an outsized role as I think that some feared. The bigger vector of disinformation and misinformation came from the President of the United States and his allies. It's continued after the election.

Phil: Even though today the Electoral College is meeting to vote to confirm President-Elect Biden's victory. It's something that is going to morph and evolve and is going to find a susceptible audience. The question, I think, is how susceptible, how large, and what can you do to mitigate against it?

Show Your Work

Carolyn: Just going back real fast to what Mike said about what the Air Force is doing. That's something the government can do to help mitigate this. To trace it back for us and put it out there so we can see. "Show your work."

Eric: I want to transition before PR shuts us down and censors us. They don't like when we talk about the election or politics. Real quick question on the Honest Ads Act. Bringing the same type of transparency to social media that's required of traditional advertising, television, magazine, periodicals, you name it. Is it going to work, is it going to help? Will it do something? Or is it just a dream?

Phil: Better than nothing. I don't know how many people are going to look at those. Kind of bring that information into their information matrix and how they evaluate claims that they see in ads on social media. I don't know how realistic that is. But it's better than nothing.

Eric: Almost like the Surgeon General's warning. If I'm a smoker, I'm going to smoke anyway. But I do see it, maybe it works.

Phil: If it works at the margins, I think all the better for it.

Carolyn: Like you said, Phil, we've got to do something. Since this is already something that's out there, let's get it in play.

Mike: I’d flip it and say those of us in the media need to do a better job as well. Make sure that we're  working, the phrase I always use in our newsroom is that we're "working with integrity." That we're, showing our work and being as transparent as possible, so that way people can trust us.

2021 Insights on the Things We Can Do to Improve Cybersecurity

Mike: I know that their trust in the media has eroded in years and also even in the trade press. That's unfortunate and I know we're all looking at things we can do to improve that. But I think part of the solution is also incumbent on the media to do a better job, too. That's a tough medicine to swallow.

Eric: I would agree with that. But my dad still gets everything from Facebook, so it's a multi-headed problem. I don't know.

Carolyn: You too, Eric. Where's your data?

Eric: Throw the big question out there.

Mike: You want me to take this? I thought this was a good idea because we're going to find out fast. It's everywhere.

Mike: Our friends joke, "Oh, I just bought a mattress and now I have social media ads for mattresses." You're like, "Okay, that's not..." But I do think what we're going to come up against is kind of this. What types of information are we comfortable having out there?

Mike: My 5K time from last week, or my credit card information obviously less, my income, anything else. From a government perspective what we're seeing is like, "Hey, what kind of information has been taken or stolen? Should it be accessible or it should not?" Did Nico write this one where it was talking about just how everything's this branch office of.

Mike: I know this segways into another one, but I think that's so true. You just need what you need to work on, but you can't limit it that way. And you can't say, "Oh, I only need these five documents," or "I only need this little bit." Or "Only let this part out."

High-Value Assets Weaved Into CMMC

Mike:  It's just going to be everything. A couple of years ago in the government there was this big movement. To kind of pick your crown jewels, to pick the data that's most important. I wonder how much of that philosophy is going to filter into our personal lives. But also into industry where we're saying, "Hey, this is what's most guarded. Everything else will kind of be with a lesser level of intensity."

Eric: You're talking about high-value assets, which was really on the civilian side. A big push, but you could weave this into CMMC. How are you protecting, because a lot of that's classified information, how are they controlling this? But let's just go to the beginning of today. With the Cozy Bear SolarWinds breach and the Red Team Tools from FireEye from last week.

Eric: SolarWinds was the perfect target, it knew where everything was. All the assets, all the traffic, it knew it. So, where's your data? Well, it's everywhere. But if an adversary can go to the bottlenecks or the choke points, the management and monitoring consoles. They can get to it even when we're restricting it. What the actual user may see, privileged users, privileged access, is going to be a bigger problem going forward.

Eric: I would say at the individual level, same thing. Your 5K time is great, your Social Security number isn't. But you know what? They may have your 5K time, they may have your Social Security number from OPM and five other breaches. Equifax and a few other things, not to pick on anybody. All of a sudden I know exactly who you are, or I can at least impersonate you. That becomes a challenge.

Every Part of This System Needs to Be Improved

Phil: You talk about privileged access. That opens up a whole other can of worms, which is identity management, too, that comes with that. It's kind of a reminder that every part of this system needs to be improved and on point.

Eric: People do things.

Carolyn: Well, we're going to pause right here. We're going to save that one for next week's episode. I'm going to thank our listeners. Make sure you tune in next week where we finish the prediction. We'll pick up where we left off next week.

To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers  2019 & 2020  because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast cford@forcepointgov.com

About Our Guests

Philip Goldstein is a web editor for FedTech and StateTech. @philgoldstein

Mike Gruss is an Executive Editor, Defense News, and C4ISRNET. @mikegruss

Listen and subscribe on your favorite platform