In this week’s episode of The Security Ledger Podcast (#127): cybersecurity’s smartest and funniest executive, David Aitel, the Chief Security Technical Officer at Cyxtera Technologies, joins us for this year end wrap up. We talk about the supply chain attack on Super Micro, China’s continued attacks on western firms, U.S. indictments of Russian and Chinese hackers and what 2019 may have in store.
2019: A New Hope?!?
As 2018 winds down, the headlines are filled with worrying news that may or may not have a root in cyber security. In just the last week, we’ve had a nation-wide outage of the 9-1-1 emergency response system by way of a disruption at ISP CenturyLink and Tribune media, the owner of top U.S. newspapers acknowledged that a malware attack kept them from publishing newspapers on time.
In case you missed the pattern: cyberattacks are hitting closer and closer to home. In 2018, they impacted not just our computers and smart phones, but the systems that we rely on to order our society and, literally, keep the lights on.
Looked at one way, 2018 may be remembered as the year when the pushing elevated to shoving between the world’s major cyber powers: with US indictments of leading Russian and Chinese cyber actors and reports of poisoned hardware and software supply chains affecting leading firms.
To talk about what we learned in the last year and what 2019 might have in store, we invited David A-Tel, the Chief Security Technical Officer at Cyxtera Technologies and the founder of Immunity Inc. to talk about the events of the past year, from the recent reports on the actions of APT-10, which has links to the government of China, to Bloomberg’s blockbuster story about a supply chain hack of motherboard maker super micro.
Donnie, Talk to China
In an era of nation state actors, Aitel observes, no hardware, software, company or person is safe from predation. Take the Bloomberg story about a supply chain compromise of SuperMicro. The publication of that story generated a flurry of denials from SuperMicro, Apple, Amazon and others named in it. But Aitel observes (correctly, I think) that – in the big picture – it doesn’t matter whether Bloomberg got the details of the story correct. What matters is that Bloomberg’s story about what happened really could have happened.
“Its almost more true if its not true,” Aitel tells me. “We know that what could happen in cyber always does happen in cyber. Someone going to fund it. Its not that expensive to do.”
In other words: an adversary who is willing and capable of interdicting and modifying hardware or physically invading your home or business is impossible to thwart. The solution, therefore, is to forge international agreements and codes of conduct between nation-state actors.
“Whether and not the details in particular for any of these things are correct, we need to have a massive equities discussion about what nation states will do to supply chains.” While the Trump administration may be trying to erect walls between the economies of China and the U.S., the future is more likely to see closer integration between the two. And that will demand cooperation and mutual understanding about what the boundaries are for things like supply chain hacking.
“We have massive government meetings about vulnerability equities processes and nobody wants to talk about what we will and won’t tell Cisco to do,” Aitel notes. “We need a policy: ‘in only the following cases will we manipulate supply chain. Then we need to take that norm to China and try to sell it.”
In this end of year podcast: Dave and I talk about the biggest stories of the year and also about what 2019 may have in store.