Warning: There are Whole Countries Out to Get You!

By Dr. Thomas P. Keenan, FCIPS, I.S.P., ITCP in collaboration with Ron Murch, I.S.P., ITCP – both with the University of Calgary.

In a discussion conducted by David Masson, Director of Enterprise Security, Darktrace, and moderated by Martin Kyle,  CISO of Payments Canada,  a group of leading Canadian experts explored the current reality and possible future of cyber warfare.

Have They Hit You Yet? The session started with a provocative poll question “has your organization been impacted by nation state attacks?” The response, 40% yes, 60% no,  indicates that while this type of cyber risk is real, it is still somewhat “around the corner” for most organizations.

Nation states often collaborate with the private sector criminal gangs to launch cyberattacks against criminal gangs or vice versa (i.e. nations sponsoring criminal enterprises). While this may conjure up images of far-away “patriotic hackers” in military buildings, we need look no further than the U.S. of A for public/private cyber offenses.

Consider the warning about the Trickbot malware. This zombie computer network facilitates ransomware and is a major threat to banking and other systems. Recently, the US Cyber Command, the Pentagon’s offensive hacking arm, took aim at Trickbot. At the same time,   Microsoft, acting with approval of a U.S. District Court, was in there tracking and disrupting Trickbot’s network of zombie computers.

The Important but Dangerous Marriage of IT and OT. Discussion turned to whether it was possible to keep cyber attacks confined to the cyberworld. “No,” said Dave Masson, “because IT and OT (operational technology) are converging and putting physical assets at risk”. While this combination may make excellent technological and business sense, it can also open up new cyber risks.

He cited examples including the recent ransomware attack on Montreal’s transportation system (Société de transport de Montréal) which, he said, led to real world vehicular traffic problems. Another cyberattack was launched against a health care agency (CIUSSS West-Central) in that city. And, Masson reported, a botched ransomware attack on a hospital in Dusseldorf, Germany caused an ambulance to bypass the facility and take a female patient to another hospital, 32 km. away. Doctors were unable to save her, and she died there.

Masson observed that preventing such attacks will require a different kind of thinking, such as Privacy by Design, (PbD),  a philosophy pioneered by former Ontario Information and Privacy Commissioner Ann Cavoukian.  Privacy isn’t exactly the same as security, but, the approach of PbD is helpful.  Instead of bolting on security after building a system, PbD practitioners consider privacy and security from the outset.  Cavoukian’s guidelines for doing PbD are found at https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf

Where Do the Bad Guys Get their Stuff?  One participant mentioned that a young developer in his organization was using publicly-available code from a library that is frequented by hackers.  Indeed, code analysis of malware often reveals that pieces have been snipped from other malware, which sometimes makes attribution a challenge. There was a lot of virtual nodding at the idea that computer science curricula should explicitly include analysis of failures and risk interactions.

What Can We Do to Protect Ourselves? Pair programming, merge reviews, and the Microsoft Threat Modelling Tool (https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) were suggested as good practices to combat security risks.

Another conceptual model, that extends the well known Confidentiality/Integrity/Availability triad is the Parkerian Hexad, (named after computer security pioneer Donn B. Parker) was suggested. It adds the dimensions of Authenticity, Utility and Possession or Control.  This brought on a discussion of cloud computing, and whether you are gambling with your data by using a cloud service. Masson noted that cloud facilities, and the associated cabling and infrastructure are subject to all the usual risks like natural disasters and power outages. Referring back to the Parkerian Hexad, he added that “Remember, if you go to the cloud, you’ve given up possession”.

Responsible protection is a mindset and an attitude that is embedded in responsible work practices and validation protocols.  Thus, the currently rising movement of DevSecOps (https://www.devsecops.org/blog/2015/2/15/what-is-devsecops) that may yet evolve further – to SecDevOps.)

Human Minds as a Risk Factor.  The question arose “can peoples’ minds be poisoned?” Given the spread of fake news and mis-information, the answer is almost certainly “Yes.”  Add in the power of social media, and the “crowdsourcing of truth”, and as Masson said, “it doesn’t matter if it’s true or false; it’s a question of whether people believe it.”

Some saw a role for Artificial Intelligence in helping to sort out truth from falsehood, and indeed most of the content moderation by the large social media companies is automated with AI. There are also cultural differences to think about. Just search for “grandma”, at least from North America,  and you’ll probably find a bunch of grey-haired elderly ladies. Not so relevant if you’re in Africa.

On a related note, built in bias, even if driven by well-intentioned AI, can have harmful real world consequences.

In an interesting essay on the perils of search engine bias, self-described “recovering urban advertising executive” Safiya Umoja Noble points out that typing  “black girls” into a search engine box typically brings up a lot of unsavory images. (https://safiyaunoble.files.wordpress.com/2012/03/54_search_engines.pdf

What is To Be Done?   Vladimir Lenin asked that provocative question in 1902, and it’s just as relevant today. The consensus from the group was that “we can’t avoid the facts of life” as Masson put it.  There will be continuous challenges but, as has been noted in several of these sessions, as defenders we actually have an advantage because we know our systems more intimately than the intruders.  The challenge is to remain vigilant and use all the tools at our disposal, and, where possible, work with like-minded allies in the public and private sectors.

“Just because you’re paranoid doesn’t mean they aren’t after you.”

– Joseph Heller, Catch-22 (1961)