The state of the adversary. The who, the what, the why they do what they do.

Episode Table of Contents

• [01:38] Are Nation State Hacks Getting Worse?
• [05:18] An Attempt to Change the Tide In Controlling Nation State Hacks
• [11:44] The Surface of Nation State Hacks
• [15:52] Missing the Opportunity to Resolve Nation State Hacks the Right Way
• [20:05] Is There an Insurance Coverage for Nation State Hacks
• [24:33] An Opportunity Found in Legacy Applications to Tighten Security From Nation State Hacks
• About Our Guest

Are Nation State Hacks Getting Worse?

Eric: Today, we have Bob Bigman, who was a 30 year veteran of the Central Intelligence Agency. His final term there was working as the CISO, Chief Information Security Officer. And for the last almost eight years, Bob's been doing private consulting. Out of all of our guests, they've all seen a lot, I think we can put Bob in the category of, he's seen a lot over his time.

Eric: So Bob, a couple weeks ago we had Dick Schaeffer from NSA on the phone, talking about information assurance. We were talking about this cybersecurity problem being a global problem, information sharing. We talked about the ease for the adversary to attack critical infrastructure, companies, governments, you name it, and the difficulty for the defenders.

Eric: You've had, as I said in the intro, a ton of experience here. What are your thoughts there? Are things just going to keep getting worse and worse and worse until it can't get any worse? Or where do we go from here? What do we do?

Bob: First, thank you for having me. I'm not sure where any worse ends up, but it's not going to get any better. We talked about information sharing and why I think it's needed to a degree. It's not our problem. The problem is that the attack surface for the bad guys, specifically the Russians and the Chinese, today is still so broad and so wide.

Proper Cybersecurity Measures

Bob: The fact that someone is or is not receiving certain intelligence reports from the government, or sharing with the government, or getting within their industry domain from their ISAC is really, it's not unimportant, but it's not useful. Because those same organizations aren't exhibiting the right, proper cybersecurity measures.

Bob: They're not doing the right hygiene, they've not configured their Windows environment the right way, they're not protecting their Linux servers. They're not doing any satisfactory analytics on their log information, both external text and internal.

Bob: So, what we found I think was, people complain that there's not enough sharing or global sharing going on. If we shared every possible CVE the second it was available, it'd be irrelevant because the people I work with, mostly, are just incapable of being able to make these upgrades and patch their systems and keep them secure at any point in time.

Eric: Let me take this to a physical world. Tell me if I'm on to something here. This is almost like a wealthy neighborhood, the United States, but a wealthy neighborhood. Everybody leaving at the same time, going on vacation, leaving their doors and windows open, no alarms, no security or anything, and we're not protecting our homes. We're not even protecting our neighborhood, is what I'm hearing you say.

Bob: Well, we don't value, organizationally, and to some extent in the government, we don't value the need for good cybersecurity hygiene, good cybersecurity practices, use of good technology.

The Need for Cybersecurity Hygiene

Bob: It's very ephemeral, in the sense that, yeah, if there is an incident, people might for a few short hours or months, throw some money at it, or do some things, but it's not part of  at least in corporate America, cybersecurity is not part of the corporate culture.

Eric: So at night I go to bed, I check all the windows, I check all the doors.

Eric: But basically what you're saying is, we need to be diligent about security just like we would in protecting our families in their houses.

Bob: It's got to be part of your corporate culture as how you do IT. Everyone relies on IT systems being available and they invest a lot of money in that and lots of time. And they worked very hard at it. But they don't, for whatever reason, consider cybersecurity as being an important part of that. They just frankly don't.

Eric: Arika, why is that? Is it the millennials? What's going on here?

Arika: Well, no. But I would love though to expand upon that a bit, because I think what we hear, is a lot of money, especially from the government is being invested into cybersecurity, a lot of focus within individual agencies. We see for example with Department of Energy.

An Attempt to Change the Tide In Controlling Nation State Hacks

Arika: They now have a deputy secretary, Karen Evans, singularly focused on cybersecurity. So do you see that tide changing where it is becoming part of the government culture or company culture within the government? Or do you still see it as a lot of talk maybe, but not when you really peel back the layers?

Bob: A lot of talk. So I'll give you an empirical, I'll give you a real-life example, okay? I won't tell you who it is, but it's a U.S. government agency, and you're right, they invested a lot of money in asset vulnerability discovery analysis tool. I won't name the product.

Eric: Understanding what's in the environment, essentially.

Bob: And knowing what vulnerabilities. And they spent a lot of money, they spent a lot of time. 2018, '19 they spent all day, two years, to deploy a single tool. Very nice. So I came back, six, seven months later after it was fully deployed, and I said, all right.

Bob: They were very impressed. They showed me how the tool was installed, and they were getting all these signals and all this information on vulnerabilities in this domain and that domain. I said, "Well, what are you doing about it?"

Bob: "Well, we're working on that. We have a resource issue right now." I said, "Well, why'd you go out and invest all your money in this tool if it's not going to be of any use?" "Well, we now know where, we can characterize." They built these very lovely slides about, "This is our biggest record, Lovely Power- classic Washington DC."

Presenting the Risks Versus Addressing the Risks

Bob: They built these lovely PowerPoint slides showing where their risks are. But I ask, "What are you actually doing to address this risk?" "Well, we're working on it. That's in next year's budget, blah, blah, blah." I just shake my head.

Eric: And you would think once you have the data and you've pointed out the risk, it should be even more motivational to go and address it.

Bob: Well, you would think. But in this case, it didn't turn out to be. ]It's funny, the planning wasn't that good.

Arika: So how do they shift that? How do we move forward, if we, in theory, have further to go than I think we realize.

Bob: I've been arguing for a long time in Congress and in the administration at OMB years ago, that we need real regulations.

Eric: What do you mean by that, Bob?

Bob: So I'll give you an example. In Singapore and in Israel, if you're in the critical infrastructure, you are told how to configure your windows domain. It's not an option.

Bob: And those settings are centrally recorded and managed and logged and viewable by the government, because they want to make sure that everyone, in the critical infrastructure, is optimizing their security tools, and optimizing their Windows environment, and their Linux servers the way they should be.

Bob: Now, I'm not necessarily saying that we have to regulate to that degree. But if you look at what they're doing, and you look at where we're at, which is, well do what you think is best, and spend some money on it, and hopefully things will go right. There's a big, big window there.

Eric: We do a lot of guidance. We don't mandate.

Bob: Tons of guidance.

Nation State Hacks on Different Government Agencies

Eric: Maybe that is the answer.

Bob: NIST is a guide. It's guidance. And all my clients are using NIST. Oh they all love NIST. But are they doing the actual things in them? No, they're not doing that.

Eric: Well and NIST doesn't have any enforcement.

Bob: Of course not.

Eric: On the government side we do a little more, with FITARA.

Bob: Well, again, FITARA I think is a bit broad in scope. I think it had good objectives initially, but it was a classic case of a committee got together and instead of building a race horse, they built a camel. But it's not bad.

Bob: FISMA's not bad, but it's not detailed enough nor, and this is the other part you were alluding to, is there any penalty for noncompliance. Whoever suffered, whatever government agency, even OMB, who suffered I presume the largest cyber exposure.

Eric: You're talking the OPM breach?

Bob: Yes, my account, my clearance, your clearance. Who suffered? No one.

Arika: I would say no one. I guess I could see that. We've talked about that in the past. How life seems to go on, especially now when we see some of these breaches, and as opposed to, I think the reaction that we probably should have and the changes that each of us even as individuals make to protect ourselves. So, that's probably a fair assessment.

Eric: Right now this is the real-world equivalent of all these nation states and other bad actors, not all nation states, reaching into our finances, into our bank accounts and extracting money, and we don't do a whole lot to stop it. To me, that's the way I see it.

The Surface of Nation State Hacks

Bob: About a number of months back, I was talking with a, I guess he's a greyer hat hacker. We won't color him, but he's not of this country. We were just doing some message chat. And I asked him about, he was asking about cybersecurity and basically sharing, cybersecurity sharing, and where's that at?

Bob: And I said, "It's where it's at. Just it's not that great." And I asked him, I said, "You all never even care about that." And he said, "No, we don't give a damn. No interest to us." He says, none of this, none of the regulations we so dearly cling to, be it the ISO standard 2700, 2701, FITARA, FISMA. He says, "You think we pay attention to that?" He says, "All we do is look for opportunities, and they're always there."

Arika: Well, and we often say, and they just have to get it right once. That's all it takes.

Bob: You're right. But we give them, in each organization. Exactly, as I said before, the attack surface is really, really broad. When you talk to people in the military, the generals in the army, they train you. If you're defending an area, the first thing you want to do is reduce your attack surface. So you have a place that you can defend. We don't even get close.  The attack surface is too broad.

Eric: And what I'm hearing you say is, you recommend some level of regulatory requirements in order to force people to do what they're not naturally doing.

Bob: And hold them accountable.

What Does Accountability Look Like

Arika: I think the accountability part is key. We see some of these regulations across all types of industries that occur, but what does that accountability really look like? Or how do we make sure that they're actually enforcing them? What are your thoughts on that, Bob?

Bob: I would, I think it's necessary. The problem is, they have spent money, the government has allocated money through OMB for cybersecurity without really guiding them as exactly how to do it. I've gone into some agencies where they spent lots of money on bringing companies to do governance, and planning, and policies, and strategy.

Bob: Didn't buy one technical security measure with the money, but had a lovely process, with lunch served at 12 o'clock at the governance board, and everything was wonderful, but the systems weren't any securer. I've seen other agencies basically pour all the money into the wrong technology.

Eric: I was going to say, I see that all the time. Tons of tools. Dozens, hundreds of tools.

Bob: Exactly. They buy, and buy, and kept buying, but they don't really have any good governance over control of their network. They don't even know where it's at and who has access. It takes a while, but by the time they install their tools, they're mostly obsolete.

Bob: Like this one agency I told you about, they went out and they bought the asset inventory and vulnerably discovery tool. And they were so proud of themselves. They were so celebratory that they got it installed. They forgot the goal of the tool was to find and then fix the vulnerabilities.

The Real Goal

Bob: So we see this bizarre mix of application of security funding, and I think the way you have to do it right is you have to really regulate it as they do in some other countries, and then actually go in and test, and see if it's the way it should be.

Bob: And if it's not, you got to hold, you got to find whoever's accountable, and I think that's part of the regulatory process is to say you're going to be accountable. Then I think you will see some real improvements.

Eric: Do we have enough money at this point?

Bob: We probably don't have enough money to fix the legacy infrastructure. A lot of them are still running on old SunOS. The agency I'm probably getting close to identifying, but actually not a lot of them do. They're still running on SunOS as their main backend database device. So, you're not going to be able to fix some of these systems.

Bob: But the good news is they're all going to the cloud. They're going to Azure or AWS, and I think we missed an opportunity, regulatory-wise, we missed an opportunity in the open cloud initiative to push them in that direction, which we are doing, but push them in a way that they also do it in a secure way.

Eric: I agree with you. When you look at the new cloud smart. We had cloud first, now the new government strategy is cloud smart. It's workforce, procurement, and security are the three pillars of cloud smart. We talk about it, but we're not mandating it.

Missing the Opportunity to Resolve Nation State Hacks the Right Way

Eric: Moving to the cloud just opens up the attack surface. Going back to the earlier part of the dialogue, it just makes it more available. It's easier for us, but also the adversary.

Bob: It gives you the potential to get it right because there are more tools available, and you can buy it as a service as opposed to you having to do it, which as I said, hasn't really worked. The problem is, these same organizations that haven't done it right on prem, I don't know what makes people think.

Eric: They're going to get it right in the cloud, which is more complicated.

Bob: If they can't secure their Linux data, if they're running on SunOS database, backend server, what makes you think the same crew of idiots, I don't necessarily mean they're personally idiots, but what makes you think they're going to be able to establish a secure cloud environment which is more complicated?

Eric: Which they probably don't even understand.

Bob: No, of course not.

Arika: Well, what is being done right? I think I want to add a little bit of optimism to this podcast.

Bob: What is being done right. Well, I've seen, at least in private companies, I guess some areas where I think they're actually improving. Specifically, some of the financials I work with are doing really good work in securing their Windows infrastructure. They're doing a much better job of managing privileged accounts.

Bob: They're actually bringing together external log data, event log data, UEBA, user behavior analytics together in a collected database and actually getting much, much better at finding incidents than they ever were before.

A Potential Need for Cybersecurity Insurance

Bob: Again, none of that involved any sharing or obtaining intelligence, they're all doing it themselves. I think they are doing some things better, but by and large it's few and far between.

Eric: How about the insurance space? Do you think insurance, cybersecurity insurance, I'm reading articles. There was something an old friend of mine published, Raj Samani from McAfee, about, we're starting to see cyber insurance companies just pay off ransomware, because it's cheaper, almost like an accident.

Eric: Oh, you're going to take me to court? Here's 10 grand, go away. We're starting to see more and more cyber insurance just pay out because it's actually easier than what you would have to do otherwise from a backup recovery perspective or you name it and shelling out the millions of bucks.

Eric: But do you see insurance at some point, companies are needing cyber insurance, not the government, do you see that moving the needle and making them more serious? Almost a commercialized regulatory requirement. We'll give you insurance at this rate if you do these things.

Bob: You've got to be very careful. I've advised a couple companies and a couple insurance companies on policy. And here's the rub, for the companies, it's not going to help. Having insurance will financially, potentially financially reimburse you a certain amount. It doesn't help anything with the problem. You still have the cyber problem.

Bob: It doesn't help with your reputation with your customers. In fact, it may even be worse if you relied solely on cyber intelligence. I wouldn't want to be banking at a financial institution whose sole security measure or primary security measure was, well, we've got a great insurance policy. That's nice for you, but what the hell happened to me?

Is There an Insurance Coverage for Nation State Hacks

Eric: How does that help me as a consumer?

Bob: It doesn't help you at all.

Eric: But as far as driving almost the, hey, you're going to pay whatever, $10 million a year for this policy, but if you do these things and show proof that you're doing them, your fees will go down to $4 million.

Bob: Well that's the rub. So, that's right. You can measure a good driver and you can install a dongle in his car and measure his performance, and make sure he's not violating any speed laws. To do that in the cyber industry, to do that in the IT industry is very, very difficult.

Bob: What's happening is, I've been involved in a few situations where in one case, a company was ransomwared, and they went to their insurance company, and insurance company basically said, nope, sorry.

Bob: The specific ransomware you got occurred during an act of war. It was going out to specifically a target, in this case it was Ukraine.

Bob: You just happened to have visited a website that downloaded the malware and infected your system. Since it wasn't an attack on you specifically, and it was a basically an act of war, you're not covered.

Bob: Well, so I thought the same thing, but then I looked at the policy, it's said exactly that.

Eric: I'm sure. I've read my life insurance policies and homeowner's, and if you actually read them, there are five million ways to get out of them.

A Cybersecurity Audit on Right Behaviors Against Nation State Hacks

Bob: In another case, the company had an incident, wasn't ransomware, but they did have an incident, they did lose my money to the Russians. They went to the insurance company and the insurance company says, "Wait a second, you've got server 2003 Windows servers on your network." And the company said, "Yes, but those weren't the ones that were attacked."

Bob: The insurance company says, "I don't care. That's not sufficient due diligence from a security perspective. That's an unsupported operating system. How can you make a claim that you have a security program of any value, when you're running servers 2003? Sorry. No pay."

Eric: So does the organization in question then going up everything? Or do they just switch insurance companies? Or do they just say loss?

Bob: They all talk to each other. They all basically, all the big ones are all the same.

Bob: There have been very few actual payouts.

Eric: We do financial auditing. You would almost think that they would go to some kind of, let's get Ernst and Young in here and do a cybersecurity audit to provide back to the insurance companies to show that we're doing the right behaviors, we're doing the right things, and therefore prove it out.

Bob: I've talked to a couple of companies who have started that idea as a business, a cyber insurance due diligence validation. The problem is because it's very complicated and these networks are so sophisticated, they can come in at a point in time and say, yeah, on this date, it was fully patched and they had two-factor authentication, whatever the due diligence requirements are.

An Opportunity Found in Legacy Applications to Tighten Security From Nation State Hacks

Bob: The problem is, how do you attest to that on day 671?

Eric: Well, financial audits, you would do them either continuously, or quarterly, or annually, and recertify. At some point you've got to draw the line, but you would do an annual certification. Ernst and Young's in auditing my financial books. By the way, there's also a group in here working on my cyber books to make sure that we've done everything we need to do.

Bob: Yeah, exactly that's being discussed now.

Eric: I don't know, Arika, we never really get to the bottom of recommendations.

Arika: The recommendation I hear is that you should be checking your policies to make sure.

Eric: Well, yes, but that's hard. It's really difficult. How do you get rid of SunOS which, Bob help me here, but I was a SunOS admin back in the '90s, so we're talking it's at least 30 years old.

Eric: How do you move it out of your business quickly? We've got legacy applications here, companies, government, but everybody.`

Bob: Oh, this one agency, basically, they've written code, the application, which is one of their primary business applications, actually uses, they weren't called APIs at the time, but it actually uses the features of the SunOS and now no one knows.

Eric: Total re-write.

Bob: Exactly. They're basically building a new system right now.

Eric: In fact, I would argue, they're probably more secure on SunOS than most people are on running on Windows today or whatever because the adversaries don't know SunOS that well, it's too old.

No Two-Person Rule

Arika: They've moved on. Right. Well, lots of good things to think about here, guys. At least though, when we started off, we were talking about the worst of the worst, but I think at least there's some optimism at the end now, but that's, we'll see.

Eric: Bob, you've got almost 40 years, maybe more of experience in this industry.

Eric: Okay, I won't age you, sorry. Awesome. 35 years young experience here. What's the craziest or most ridiculous thing you've experienced or seen from a cybersecurity perspective over that time?

Eric: Somebody not doing something, leaving their doors and windows, I don't know, you've got some great stories.

Bob: So in one organization, I won't say if it's public or private, we found the Windows domain admin dialing in from a Starbucks to do their AD work.

Eric: So they were updating or working on active directory?

Bob: On the corporate domain.

Eric: The phone book and authentication system for the organization on unsecure wifi over Starbucks.

Eric: In fact, you said dialing in, but if they had dialed in over a modem it would have been a lot better. So unsecure wifi, they're updating corporate active directory.

Bob: Yes, they're the domain admin on the AD box.

Eric: I guess there was no two-person rule in that.

Bob: No, no two-person rule, no nothing. We went back through the logs and found the addresses, and we had this suspicion.

Conclusion

Bob: We went and confronted the individual and he said, "Yeah, there's no policy that says I can't do it. I don't do it all the time, but this was, I got a requirement in, I didn't want to drive into the office, blah blah blah. I was going to be at the Starbucks, so I just connected in and did my work."

Eric: I would say, we don't document common sense, but that would just be my snarky answer.

Eric: Arika, end us on a happy note, please.

Arika: Well the happy note will be just, thank you so much Bob, for joining us this week. I think the conversation we've had with DEC in the past two episodes, and this one, it's interesting, especially given the expertise that you all both have. It shows us that we have a long way to go. It's great job security, for everyone. So that's my optimism there.

Bob: Thank you very much.

Arika: Thank you for joining us, Bob. And thank you to all our listeners for joining us each week at To The Point Cybersecurity, and we look forward to bringing you another episode next week.

About Our Guest

Bob Bigman is currently the President of 2BSecure, a privately held information security consulting company. Prior to his time at 2BSecure, he was the Chief Information Security Officer for the Central Intelligence Agency. He has over twenty five years’ experience in protecting the nation’s most sensitive secrets and is known as one of the Government’s leading authorities in program and technical information system security.

For fifteen years, he managed a multimillion dollar budget to protect all Agency and industrial partner classified computer systems and networks. He has worked with all major information technology vendors to improve the security of their products.