[00:00:18.430] – Steve Maresca
[00:00:19.720] – Jason Pufahl
It seemed relevant, given everything that’s going on here with Ukraine and Russia, to maybe spend a little bit of time on cyber warfare. We certainly deal on, to some degree, I’ll call it the consumer end of incidents in ransomware.
[00:00:37.270] – Steve Maresca
The receiving end.
[00:00:38.300] – Jason Pufahl
The receiving end, right? There’s a lot of talk in the news. I think people are certainly bringing up, what does it potentially mean for us maybe here in the United States? What does it just mean more generally? What is cyber warfare in a lot of ways? So I think similar to some of our other podcasts of maybe cyber warfare 101 to some degree, covering what are the risks that we think might present themselves here, maybe in the not too distant future? What are the type of attacks that we should expect to see? What targets might be attractive? Is it purely technical? Are there other things out there that we need to consider a little bit? I don’t know if either one of you want to take a stab at maybe what is cyber warfare perhaps?
[00:01:23.830] – Matt Massaro
Sure. Maybe let’s talk about how targets are picked for something like this and what types of attacks that we’re looking at, right? Jason brought ransomware, right, but we’re not going to see ransomware most likely in a cyber warfare type of engagement, right? We’re going to be looking at destructive types of attacks to either take a service offline, maybe even kill people, right? That’s a very likely thing to happen, especially if it’s during an operation. That’s one thing to remember, too, is that most nations don’t have the type of cyber capability that some others do. For example, we have a pretty strong cyber program. We assume that Russia has a pretty strong cyber program. It’s a lot of assumptions on what everyone has right now, too, because we haven’t really been in a cyber war yet, at least that we know about.
[00:02:19.370] – Steve Maresca
I think I’d say that the framing is that any true cyber warfare aims to do a few things. Either disorient an enemy by reducing the information that they have available, by flooding them with information to damage the enemy in some capacity, undermining their critical infrastructure, or otherwise distract. Because deception is part of the game. Fainting attacks are really important. If you can achieve any one of those three, in large part, you’re facilitating actual warfare goals in the physical world at the same time.
[00:03:03.390] – Jason Pufahl
Right. So when you’re saying critical infrastructure, I think water, power, maybe internet, right, the ability to transmit data, potentially.
[00:03:16.750] – Steve Maresca
Certainly communications. Think back over the last 20 years. There have been a lot of suspicious severed undersea cables. They’re test exercises. They’re deliberate. If you have the ability as a nation to disrupt communications, you inherently place your foe on an island. So I think that you’d absolutely include communications at the forefront of that. To some degree in cyber warfare, you preserve communications for as long as possible because they are the means by which you make those attacks a reality. But critical infrastructure could be economic, it could be industrial, right?
[00:03:58.580] – Jason Pufahl
So actually, that’s the segue I was thinking of going into, which was how much of the financial system is considered, say, an infrastructure style attack? Versus, is that just a mechanism perhaps, to control your enemy, right, which I think we’re seeing certainly on the Russian side.
[00:04:18.540] – Matt Massaro
I think financials will be targeted quite a bit. Right. Probably right out of the gate, too. You’re trying to be as effective as possible with the attacks that you’ve got. Financial impact is something that creates a lot of suffering, whether it be psychological or what have you. That’s a good weapon to use if you’ve got it.
[00:04:39.870] – Steve Maresca
Accordingly, financial trading houses and so forth are some of the best defended institutions in general from a cyber perspective. New York Stock Exchange is bristling with the best technology and best software that you can imagine for this sense. It’s part of the equation. If you can undermine a country’s or an organization’s capability to pay its bills, that compels their behavior in a direction away from the other warfare goals. It’s altering the calculus, and that’s the goal, ultimately.
[00:05:17.040] – Matt Massaro
Yeah. I think anything that we would see here at home would be for that long game, right? Financials, the critical infrastructure pieces that we talked about, water, electricity, things like that. Any attacker would want to impose great inconvenience and cause financial stress on the United States so that we have less of an ability to react kinetically, right? So to do those things, it would take a long time in a cyber sense to actually make that effective.
[00:05:48.920] – Steve Maresca
All the same, there are psychological outcomes of some of these attacks. The Colonial Pipeline was ransomware. It was isolated. It wouldn’t be considered cyber warfare, right? But a ransomware attack on a pipeline company in the petrochemical space caused panic buying, it caused shortages, even though there was no real shortage of gas. That chaos that ensues is itself a reasonable goal in warfare. You can link the two, especially when we’re talking about cyber warfare being something that facilitates war in the physical realm as well.
[00:06:30.270] – Jason Pufahl
The chaos statement is a good one, too, because I partly want to go down the path of propaganda, and I don’t know that you want to say that that is cyber war. Propaganda has been around for 100 years, right, more, you can go back far. But the reality is it’s easy to get misinformation out or disinformation really quickly enmasse that’s really challenging now to sort the truth from fiction in a lot of ways.
[00:07:01.410] – Jason Pufahl
I’ve got a 15-year-old who is much more in tune with social media, certainly, than I am and I was fascinated to see what felt like very legitimate news coming from people on Instagram who had contacts in the Ukraine and yet were reporting almost in real time what felt like very, very factual information. But I found myself saying, “Well, really, how much does that individual really know and how accurate is all of this?” It’s really hard to take what appears to be a very authoritative source and not trust it and I think that’s part of that chaos that you’re bringing up.
[00:07:37.790] – Steve Maresca
It is. But it’s not really cyber warfare. This just happens to be the same old story that’s been always true for centuries.
[00:07:46.700] – Jason Pufahl
But you do it more quickly now, though.
[00:07:47.930] – Steve Maresca
Exactly. The speed of information travels. What’s the adage? Truth flies more slowly than falsehood or something to that effect. I’m butchering it.
[00:08:00.070] – Jason Pufahl
Yeah, [crosstalk 00:08:00].
[00:08:01.280] – Steve Maresca
The point remains, right? Confusion, if sowed, is just simply more effective in today’s sphere. But cyber warfare, it’s at its fringes. If we’re thinking about critical infrastructure, you bomb or you disable, in the real world, power transmission, power generation, gas pumping stations, life safety organizations, you inhibit communications. Those are the things that you can achieve with kinetic weapons like you were referencing earlier.
[00:08:37.550] – Steve Maresca
But if you’re an invading force, you want to preserve a lot of that infrastructure. If you can disable it entirely with your electronic attack, you are fundamentally making your spoils of war more functional when you walk in after the fact. That’s part of this to some degree. We’re talking about a conflict at the moment that involves annexation of territory in 2014, effectively planned annexation of territory at the moment. This is essentially part of the game and preserving infrastructure while still disabling it is one of the unique aspects of cyber warfare, in my opinion.
[00:09:22.970] – Jason Pufahl
[00:09:23.740] – Matt Massaro
Yeah. I think that goes to show that cyber warfare will look different depending on whether you have an invading force or not, right? The tactics change, the types of attacks will change. Like Steve said, they may not do much to a power grid, but just try to disable it for now, right?
[00:09:45.560] – Jason Pufahl
Because they want it to attack later.
[00:09:46.900] – Matt Massaro
Right. Communications was directly affected in Ukraine. I’m pretty sure that they’re pretty much only on things like Starlink at this point because Russia was successful in stopping communications, right? Communications probably wouldn’t be touched in the US until it’s time. You’re not going to burn those associations that you’ve got with people and companies, assets that you’ve got inside of their networks until it’s time, right, because everything is valuable at that point.
[00:10:14.810] – Jason Pufahl
[00:10:17.550] – Steve Maresca
It’s worth talking about the unique aspects of cyber warfare that make it a little different from traditional war. You have the capability to be very effective at wildly diverse disparate locations across the actual geographic sphere with one act. Say you’re targeting a company that has some important supply chain component for a conflict, right? Electronics, navigation systems, what have you. If you target their corporate headquarters in a different country and through that entry point, affect all of their other locations and manufacturing places, your distribution hubs everywhere in the world, you’ve effectively crippled their capability to support a war effort everywhere at once.
[00:11:09.800] – Steve Maresca
That type of asymmetrical aspect of the engagement is an old term in terms of warfare. But cyber war in particular emphasizes that asymmetry where defenders are fundamentally behind the eight ball. Honestly, attackers, because of the capabilities, because of the speed that information and attacks can travel, are able to achieve huge impacts very quickly.
[00:11:37.590] – Matt Massaro
To that end, then we’re talking about some of these infrastructure style attacks. For folks who are listening, if you’re a company that supports that industry or those environments in some way, you really want to look at some of the technologies that are in the space to help you more quickly identify attacks that might be occurring to your company with the ultimate goal of being able to provide access to power grids or water supplies, etc. So it’s not just going to go directly to a power company. There’s a lot of supporting organizations there, and I think they need to be mindful of what their security programs look like and that their protective infrastructure looks like.
[00:12:21.030] – Jason Pufahl
We’ve talked a lot about this, and it feels very defensive. Somebody is executing an attack. NATO has an organization, their Cooperative Cyber Defense Center of Excellence and they run tabletop exercises, I think large scale tabletop exercises every year designed to better prepare their staff and all the people supporting this on how to address the cyber attack, right? In some way, I still call it a defensive, maybe preparatory, right, but defensive. Is there any ability to go on the offensive when it comes to this?
[00:12:58.480] – Matt Massaro
Yeah. We absolutely have capabilities to do that. You’ll find very little information about it. Things that are typically considered weapons or an offensive weapon or anything like that usually end up being classified, so you’ll need certain levels to actually get any of that information. But just understanding how a lot of cyber attacks work. We definitely do have capabilities to do this, to attack back, to cause havoc, right? We’re not necessarily in the know of exactly what those methods are.
[00:13:32.850] – Steve Maresca
You have to remember a lot of the tools that we use as defenders are themselves able to cut both directions. A really simplistic example of that is how some of the tools we use truly when defending organizations will themselves show up in antivirus quarantines because they’ve been inappropriately or as collateral damage sucked up into the indicators of compromise or some attack.
[00:14:00.810] – Steve Maresca
The fundamental truth is that many of the things that might be used as a defender to define flaws, prioritize fixing, and so forth can also be weaponized in a way that deploys ransomware. It just takes a small additional bit of effort. Matt’s right that the actual capabilities are not necessarily publicized. There’s good reason for it.
[00:14:30.210] – Steve Maresca
Ultimately, most of the organizations that produce software of the variety that helps in offense really have a profit motive at the end of the day, and they have to operate within the bounds of law and want to have the largest customer base possible. So they want to stay away from export control problems and things of that variety. So it really narrows the field to very specialized players, and that’s, in my opinion, where it should stay. But the truth is that in the attack sphere, they’re not playing by those rules. It’s another example of asymmetry. The defenders have to play defined to the tools they have available. Attackers are not kept in such an enclosed environment.
[00:15:10.590] – Jason Pufahl
[00:15:12.090] – Matt Massaro
I’d say as far as where we might have an advantage would be probably on the battlefield, right? So I’m talking about cyber operations on a battlefield itself. At least from what I understand, we have more capabilities to have support operations going on either against actual weapon systems or aircraft and actually being able to launch attacks from a field versus having a operations center somewhere actually deploying those types of things.
[00:15:43.730] – Jason Pufahl
By we, you mean the collective we? NATO [crosstalk 00:15:46].
[00:15:45.880] – Matt Massaro
Yeah. Exactly, yeah. Pretty much any NATO nation probably have access to some of these things and then we have our own internal US type of capabilities as well.
[00:15:55.410] – Steve Maresca
At the edge of cyber warfare is, of course, espionage, and the US and EU in general are collectively, along with other peers like Canada, New Zealand, and Australia, the penultimate example of defensive cyber intelligence. They use it very effectively, demonstrated to some degree, calling all of the cards in the last opening [inaudible 00:16:19] of conflict that we’re seeing in the real world. Happens quietly as well. There are briefings occurring today about some of the unclassified ripples of what we’re seeing for defense in the broader industry that’s not part of the defense supply chain. It’s all part of that sphere, and ultimately, information is king. We’ve made those comments many, many, many times before. It’s exactly true here. It doesn’t change.
[00:16:48.870] – Jason Pufahl
When we were talking about infrastructure earlier, and actually, to be honest, I hadn’t thought about this too much before we started chatting here. Your healthcare, hospitals, etc., they represent real risk, especially during more traditional wartime where you’ve got patients and patient care, which has a huge dependence now on technology, right? If you can disrupt that, you really can affect your enemy’s ability to treat wounded, etc. I think some of that is actually called out in some of the legal work around the ethics of cyber warfare and what’s permitted and what’s not. It’d be interesting to see if that even evolves more, right? But to your point, there’s an asymmetry there because you can write down all the law you want.
[00:17:43.770] – Matt Massaro
Yeah. We’re seeing those types of things not being followed right now, right? So I have little faith that an attacking entity will follow those rules, right? So much of the Geneva Convention actually gets thrown out when you’re on a field with artillery.
[00:18:02.010] – Jason Pufahl
[00:18:03.030] – Steve Maresca
But there’s no question, though, that the capability is there.
[00:18:06.050] – Matt Massaro
No question. Yeah.
[00:18:06.980] – Steve Maresca
All of the ransomware that have affected healthcare facilities in the last 10 years have absolutely made giant waves in terms of news. But those have been unintentional side effects of not well targeted attacks in the hands of an actual strategic enemy. Yeah. It’s game over.
[00:18:31.760] – Jason Pufahl
Unfortunately, we know that the healthcare industry is, in spite of HIPAA, in spite of some of the other regulatory requirements, one of the least secure environments that we often run into. I’d say our power grid with some of the traditional controls there represent real risk.
[00:18:49.630] – Matt Massaro
Yeah. I think a lot of these entities need to start focusing on how to recover from something like that. Assume you’re not going to defeat the attacker, right? Assume you’re going to have a major incident happen when it comes to cyber warfare and have a plan. If you don’t have a plan of how to come back from something like that, you’re going to be in bad shape.
[00:19:10.970] – Jason Pufahl
Yeah. Both business continuity and disaster recovery. How do you run if things are disrupted?
[00:19:15.890] – Matt Massaro
If you’re facing a worthy adversary, they’re going to get in. They’ve got the zero days that have not been disclosed. They’ve got all the tools they need.
[00:19:25.630] – Steve Maresca
I think then on that note, one of the things that worries me most are where cyber attacks lead into physical impact. Power grid is a great example of that. If transformers at substations are in some way impacted because of instabilities and frequencies on the line, because monitoring equipment was disabled. Like the 2003 outage that hit New York, for example. Those take a long time to manufacture. They’re not just kept on a shelf somewhere. We’re talking about months of lead time. If enough of them are damaged all at once, you’re not coming back from it. Right. So isolation of sensitive equipment is really one of the key things.
[00:20:18.880] – Steve Maresca
Those systems are built to do that sort of thing, but there are plenty of examples where disabling a sensor here, shutting down flow of information there produces the same negative outcome as not having it at all. And ultimately preparing for that sort of thing, reinforcing your point, with actual physical inventory of x-ray machines or MRIs or parts is essentially an absolute requirement if you’re assuming a broad spectrum cyber attack.
[00:20:50.070] – Jason Pufahl
Yeah. We’re all at the whim of just in-time manufacturing these days.
[00:20:53.450] – Steve Maresca
[00:20:54.670] – Jason Pufahl
That’s a good place to exploit it if you were going to attack it.
[00:20:57.420] – Steve Maresca
[00:21:00.370] – Jason Pufahl
Well, it’s primer, right? I think the reality is we’re not going to go into every topic that we potentially could. I think our intent here is just to introduce the concept, some of the potential risk to folks who probably haven’t given it a lot of thought, and I think impress upon people that if you’re in the supporting industry, make sure that you’re doing what you can from a programmatic perspective, right? You’re building your security program to position you to defend yourself because I think really realistically none of us are going to go on the offensive. We need to be prepared. We need to understand what the risks are and do our best to position ourselves to either prevent them or recover, and that’s ultimately what we’re doing here. Any final thoughts at all that you feel we didn’t cover that you’d want to?
[00:21:52.390] – Matt Massaro
We could talk about this for hours for sure. Yeah, hopefully, none of you will find yourself in the position where you actually need to be the attacker here. But like Jason said, I’d say having a plan if you’re supporting these entities is probably the most important thing.
[00:22:07.430] – Jason Pufahl
Right. Well, on that note, hopefully, we’ve gotten people thinking a little bit. Give thought to your security programs, feel free to reach out to us. Vancord at LinkedIn is probably the best way. We’re happy to have a conversation with you just generally about the topic or if you’re concerned about your security profile, we’re happy to discuss that as well. As always, Matt, Steve, thanks for joining today and everybody, thank you for listening.
[00:22:34.570] – Speaker 1
Stay vigilant. Stay resilient. This has been CyberSound.