[00:00:36] Welcome to Cyber Security Inside. I’m Camille Morhardt. Today on the podcast we’re doing something a little different. It’s a round-robin of sorts, featuring conversations with three panelists from the 2022 RSA Cybersecurity Conference. They spoke at a panel entitled “All Hands on Deck: A Whole-of-Society Approach for Cybersecurity.”
You’ll recognize one of the panelists, my co-host Tom Garrison. He was joined by Aanchul Gupta of Microsoft and Dr. Diane Janosek with the National Security Agency. We’ll hear first from Aanchul Gupta.
[00:01:09] Tom Garrison: Our guest today is Aanchul Gupta she’s Corporate Vice President at Microsoft and she heads Microsoft’s Security Response Center. So welcome today, Aanshul.
[00:01:20] Aanchul Gupta: Thank you, Tom.
[00:01:22 ] Tom Garrison: I thought it would be good maybe to start off with your view in terms of what are the top threats today that require joint collaboration to try to go off and solve?
[00:01:36 ] Aanchul Gupta: Yeah, there’s a litany of threats I can go on with, but I’ll start with the one that is top of our mind, which is software supply chain. Threats are one of the biggest security risk right now; even though it is not a new risk, but our reliance on the third-party and open source software is exponentially increasing. And it is only a matter of time before we will see more software supply chain issues. Log4J and NOBELIUM are just the tip of the iceberg.
And there are two primary reasons that the supply chain attacks are on this continuous rise. The first one is our dependence on this third-party software is growing and it is becoming very attractive for our threat actors to find the soft spots. They could easily convince an insider to get onto and modify some code in the supply chain, or they can inject this malicious payload into the supply chain.
And the second reason is the usage of this certain software is literally like salt in our pantry. And when, I say salt in our pantry, when you look at different food items in your pantry, and you start to look at the ingredient list, you will most likely find salt in there. And if someone were to tell you, “hey, salt is contaminated and you need to do something about it for the food items in your pantry,” it would be immensely difficult. So, the same way for certain software, it is very difficult to solve those issues because they’re pervasive and that’s what made Log 4J such a big challenge for the entire community. So that’s why I feel supply chain is top of my mind.
[00:03:15] Camille Morhardt: So what are some of the joint goals that we can establish to work toward this whole of society approach for cyber security?
[00:03:24] Aanchul Gupta: Yeah, I think we cannot think about security in a silo. We need to think about partnerships and we have to make our ecosystem safer. It cannot be like, what can I do for myself? It has to be a close partnership with our security research community, with the security industry, with ________ is like all of us coming together.
I’ll take one example that is again, top of my mind: as we saw with the war in Ukraine, it is a hybrid attack approach that Russia is using. There are nation state threat actors who are conducting these intrusions on the software side. And then there is kinetic military action going on on land, air and sea. And they are doing this in tandem. Now, Microsoft worked very closely with Ukraine cybersecurity agencies and their local enterprises, the private sector to look at the TTPs–the tactics, techniques, and procedures–that are used by these threat actors to do a timeline map of how these threats are unfolding. And it was really good to see that timeline map. And it was also really helpful to do this partnership because without this partnership, we wouldn’t have gotten this end-to-end view that we were able to get.
And I think that we have to continue to evolve this partnership globally, because that is the only way we can defend these threats. Let’s also not penalize the people for sharing a breach of their system. We need to shift the culture from blame to community support. When we support organizations to be forthcoming with their experience, they get better insights. We are able to help identify supply chain risks sooner. And one example that comes to my mind for us is NOBELIUM attacks. When we were seeing this in our network, we were sharing intels and IOCs from our own experience through numerous blogs. And it was very helpful for the larger industry because they could use this information and see if they were getting attacked in the network. So I believe sharing this information, becoming forthcoming is very helpful.
[00:05:48] Tom Garrison: Well, great. Thanks Aanchul. I think these are two really important aspects of what we need to talk about in terms of supply chain and in terms of how we all come together in the industry to, uh, promote more secure platforms. So thank you.
[00:05:58] Aanchul Gupta: Thank you Tom and Camille.
(short music break)
[00:06:09] Camille Morhardt: I am fortunate today to be here with Abhilasha Bhargav-Spantzel who’s Partner Security Architect with Microsoft, and she and I are going to interview Tom Garrison, he is a co-host of Cyber Security Inside podcast that we do together. He’s also Vice President of Client Security Strategy and Initiatives. And he’s also in charge of industry-wide initiatives and security research.
Tom first question for you is you actually are doing security, but from within a product division at Intel. So I’m curious your vision or your sense of the world in terms of what’s actually happening with respect to cybersecurity.
[00:06:52] Tom Garrison: You know, from my perspective, what I see is a sort of perfect storm that’s happening around cyber security, one is that the technology of our devices is getting more and more and more complex. And, uh, the analogy I like to use with people is to think about, let’s say a 1980s automobile, and you could have your buddy down the street whose a garage mechanic, work on your car and they could, you know, fix a carburetor or whatever needed to happen. That worked well in the 1980s. But if you have like a 2022 car today, if you open up the hood and one of those things, I mean, good luck trying to find anything. The technology is so, so, so much more complicated. And the same is true for our platforms, whether it be a client platform, a server platform, and the like. Couple that with the fact that we have devices now being used in ways that have never been envisioned before workers that are outside the four walls of the company and so they are subject to whole different kinds of attacks.
And then the third is that the state-of-the-art in terms of security research and security attacks is significantly higher than it has ever been in the, in the history of mankind. And so the combination of all three of those things all conspire to make the environment a very challenging one from a security standpoint.
[00:08:19] Abhilasha Bhargav-Spantzel: You talked about the complexity and the attack surface that is associated with it. What did we do with a car which has all these bells and whistles? It’s hard to interpret it. And what are the steps that one can take to build that trust and reliability that we need from these products?
[00:08:39] Tom Garrison: I think it first starts with a realization that we can’t have third parties acting on behalf of the device makers. So in the case of say Intel silicon, Intel CPU’s or wireless components or whatnot, we shouldn’t be satisfied with third parties that are trying to interface in to say, is this device safe or not? I think, we as an industry need to become more confident in that you, you need to talk directly with Intel to be able to say, “is our technology working as expected?” And the way that Intel and others should do that is through interfaces so that we provide interfaces that are secure, that are trustworthy, that vendors can utilize through APIs or otherwise to be able to attest whether or not the devices can be trusted. And that hasn’t really existed in a robust way in the past. And I think that’s the real opportunity is that if you’re trying to figure out whether a device is safe and the only person you’re talking with is somebody who is trying to determine it themself, as opposed to really deeply partnering with the technology providers, I think you probably aren’t as safe as you could be if you were working with somebody who had partnerships that co-developed the solutions to be able to attest whether the device has really trusted.
[00:010:08] Abhilasha Bhargav-Spantzel: Because also the need to partner with so many different vendors, uh, supply chain becomes such a critical aspect of it. So what are the things that we’re doing with respect to create innovative solutions that allow us to build that trust across the entire set of partners or the supply chain?
[00:10:29] Tom Garrison: Yeah, as you point out it is a complicated problem. And the reality is, is what, what we are trying to do at Intel is to take the first step.
And that first step is around transparency. So what we want to do is to peel back this sort of almost secrecy that’s existed around what components are used to build your device–whether it’s a PC or a server or an IOT device. And we think with that transparency comes a level now of intelligence you can have around “Okay, do I know what the state of those devices are in? And do I know what firmware versions they’re running or do I know that the patches have all been applied that are appropriate for those devices?” And furthermore, you can make other choices around do I really want to have a device with maybe, uh, devices that come from parts of the world that you’re concerned with?” And so all of that comes together and allows and empowers customers to make intelligent decisions around their platforms. And the state of the device is it’s trustworthy or not. And how do I manage it over time? And am I smart about updates? Do I have a process around updating these machines on a regular basis?
Those are all things that come with transparency. We think that’s a great healthy first step.
[00:11:54] Abhilasha Bhargav-Spantzel What can you use as do to make themselves safer as we continue to enjoy the innovation and the various solutions that are out there?
[00:12:04] Tom Garrison: the most important thing that customer or an end user could do is to be able to ask themselves the following question: do I know if my machine has been fully updated from all the known vulnerabilities for my platform? And if you know the answer to that question, Then that is a very healthy first step. By itself, it’s not the end all be all to the answer of everything because as we all know the industry, this is a very, very complicated problem. But what I am saying is that while this doesn’t fix everything. This is a very, very good first step.
[00:12:49] Camille Morhardt: I want to ask you, um, from again, I’m interested in this product perspective that you have. So what are some of the things that you do besides checking that you’re accounting for known vulnerabilities in incorporating any kinds of components or, or software?
What other kinds of things should sort of world-class product divisions be doing?
[00:13:12] Tom Garrison: So there are lots of steps, as you can imagine, the first would be how much are you investing yourself as a product division in security research– not just relying on external researchers to find vulnerabilities in your platform, but with a deep understanding of your own product, your own architecture, the trade offs that you’ve made. What you want to be able to do is stay in front of even external researchers, even ethical hackers. You want to be in front of them with your own development teams. And you’re only do that if you’re investing significantly in your own security research, that would be step one.
Step two is, do you have a process to take the key learnings and develop them as part of your future products? Not just fixing your historical ones, but ensure that your future products are also safe. Those are two concrete steps that world-class providers of technology should be utilizing.
[00:14:11] Abhilasha Bhargav-Spantzel How does one share these best-known methods across the industry?
[00:14:16] Tom Garrison: We at Intel, we have a couple of different strategies that we employ there. One is we have trusted relationships with some of the biggest players, whether they be cloud service providers on the server side or on the client side, you know, large, uh, large technology providers that we have very, very deep technical engagements with and we share lots of information.
Intel also participates in coordinated vulnerability disclosure, which means that we have a very, very rigorous process in terms of how we maintain confidentiality around vulnerabilities. And we don’t talk about them until we need to with either a partner, as we’re developing a shared solution that requires both parties to do something, or we don’t disclose it as just part of a public disclosure until we already have a mitigation.
We also have within Intel, we have a PSIRT team, Product Security Incident Response Team, and that piece or team engages with our partner PSIRT organizations, uh, with Microsoft, with all the OEMs, as well. And so there’s a very robust relationship that exists there so that we can do that timely information sharing when it’s approaching.
[00:15:34] Camille Morhardt: Tom, thank you so much for joining us today. It was really fun actually interviewing you with Abilasha. Who’s also been a guest on our podcast in the past. Thanks again, for your time.
[00:15:44] Tom Garrison: It was a pleasure.
(short music break)
[00:15:54] Tom Garrison is going to hop back into the host seat as we wrap up this episode of Cyber Security Inside, featuring panelists from the 2022 RSA Conference. Our final conversation is with Dr. Diane Janosek. She is deputy director of compliance for the NSA, the National Security Agency with experience spanning legal, policy, and executive management in the U.S. government. She has numerous awards for women in security, including the 2022 Women in Cybersecurity Leader.
[00:16:23] Tom Garrison: I thought maybe we’d start off with something we’ve sort of mentioned in the past, maybe a little bit, but most people haven’t really thought about it and that’s the use of artificial intelligence and use of that to attack somebody. And I wonder if you could just share some thoughts about how real is this threat and what can companies do to help alleviate that?
[00:16:45 ] Diane Janosek: our adversaries have two intentions in mind that is to make as much money as they can off of you or cause as much disruption as they can– or two of them together. And they’re using adversarial AI where they’ll come together and understand where the sweet spots are to affect us and to cause the most amount of damage or harm or financial damage. So from an adversarial AI perspective, how do we respond to that? We have to recognize that our AI, which has phenomenal or machine learning uses lots of different datasets and it depends upon the integrity of that data for the algorithms to actually work. If her adversaries are altering that data, recognizing that we’re using certain models, our models will be incorrect. We won’t even realize that our models are actually directing us to the wrong place. It’s a double-edged sword. So we have to recognize what they’re doing, how they’re doing it and be able to respond.
[00:17:39] Tom Garrison: From what we know so far–and it is still relatively early days for artificial intelligence, you call it adversarial artificial intelligence–is the nature of an attack, different if it is an AI- based attack versus the more, I guess, traditional old school of a human-generated attack?
[00:18:01] Diane Janosek: Oh, absolutely right. The velocity and the complexity or the sophistication of those attacks across multiple domains, across multiple platforms can only occur usually with some sort of assistance. Cyber criminals they’ll work across any domain to achieve their end goal. And as a national security agency, one of our missions has helped to protect and defend the United States of America as part of the Department of Defense and as a member of the intelligence community, what we need to ensure is of cyber criminals, the same way that if it was in a law enforcement side was coming into your home and disrupting your daily life at home, if they’re doing that through the digital network, you need to be assured that there is somebody hopefully watching that threat factor, stopping at the threat vector and stopping any type of activity, malicious activity that could come your way.
[00:19:05] Camille Morhardt: Can I just interrupt and ask? Does that include like critical infrastructure that’s not necessarily government owned?
[00:19:13] Diane Janosek: So the way that we look at the critical infrastructure sectors is there’s currently 16 of them, critical infrastructure is infrastructure or sectors that our country is so dependent upon that if they were somehow degraded, we would all be impacted, right?–like the energy sector and the transportation sector. So currently 80% of the United States critical infrastructure and the telecommunications that underpins that is run by the private sector. So even if I get the A in 20%, which is the defense with the telecommunication side, it’s not good enough for the country. I mean, getting 20% is not even a D right, as an F. So even if I get an A, the country doesn’t get the A.
So what do you have to do to kind of raise the bar? It’s giving the tools and the information, sharing what we know about vulnerabilities, sharing what we know about threat factors, sharing what we know about adversarial attacks and with the emerging threats that are coming down the pike. If we can share that with the other 80% in the healthcare sector, the financial sector, the energy sector, all 16 sectors, especially like the water right up to supply chain of just the water. If we can share what we know, Americans as a whole can go to sleep knowing that their country is better protected.
And I’m only doing that because I’m sharing the data that I know through the information that I’ve gathered. What that means is when we perform our signals intelligence mission–understanding what our adversaries are saying and doing, and maybe plotting against the United States–or we’re doing cyber security–defending the networks that you know, that for which we run sensitive data on–when I do that, I’m going to have access to a lot of data. I have to make sure that I protect that data, that I ensure that it’s constitutional before I accept that data into the systems that we have, that we treat it properly, that we don’t have to take data that’s on US persons and Americans. So we need to be able to do the signals intelligence mission and the cyber security mission while protecting the constitution. And that’s a very fine line in a world where it’s completely data intense.
[00:21:22] Camille Morhardt: So Diane, I’m wondering what should Americans be asking of our government and actually of our industry as well, especially with this explosion of data collection around artificial intelligence, when it comes to privacy and security.
[00:21:35] Diane Janosek: As Americans, what I would expect of big tech and your government is to work together. If I at the National Security Agency have information that can protect Americans, I should be sharing it. If the private sector has information about what’s going on, what the particular vulnerabilities are, where they can see some particular ransomware trends to share that information, don’t be afraid of really partnering; because between a partnerships between state and local, the universities, industry, the nonprofit, the government sector, if we can share that data, that’s how we really have our shields up. That’s how we come together. And we’re more, we’re fortified to get. I would expect as an American, that your government is transparent with what it’s doing and you know, that it’s taking all efforts it possibly can to secure you in your home and your daily way of life and that we are partnering with the best and the brightest across the private sector to make that.
[00:22:40] Camille Morhardt: And I mean, what kind of demand should we have from the privacy perspective? If we’re talking about sharing data across government and industry,
[00:22:48] Diane Janosek: I would say that we should ask from our government and from private sector to be transparent with they’re using the data for, and to truly collaborate. Don’t you say the word public-private partnerships actually understand what that means. See how you can integrate your systems to share the data in an appropriate, lawful legal way, so that at the end of the day, we are all stronger and safer as a nation.
[00:23:15] Camille Morhardt: So Diane, who really is responsible for worrying about cyber security in this country?
[00:23:23] Diane Janosek: It takes everybody. It takes people, patching their systems, doing the updates on their iPhone, making sure that they have a password on their home network. You want to make sure that the government’s doing the right thing, that they’re really locking up the supply chain that they’re really are securing water supply plants. The planes are saved. The hospitals are safe.
At the end of the day, cyber is personal to me; my mother, my brother, my neighbor, my husband, my children, cyber affects all of us. And so whatever we can do to really secure it in a way that makes sense and that’s transparent and defensible, we should be doing.
[00:24:00] Tom Garrison: So Diane, thank you. I know that Camille and I are both dying to ask you so many more questions, but we don’t have time today. But I do want to thank you so much for joining us and we look forward to having a future conversation.
[00:24:18] Camille Morhardt: Thanks for joining us today for conversations focused on a whole-society approach to cyber security. Aanchul Gupta of Microsoft, Tom Garrison from Intel and the NSA’s Dr. Diane Janosek spoke on this topic as panelists at the 2022 RSA Conference.