Chapters
Shownotes Transcript
Hi everyone and welcome to this podcast. My name's Patrick Gray. And normally you'd be hearing a podcast by Tom Uren and The Gruk between two nerds, but Gruk is traveling this week. So I guess this is between two other nerds. I'm just back from San Francisco where I hosted this conversation with the former director of the CIA's Center for Cyber Intelligence, Andy Boyd. We recorded this yesterday.
in front of an audience at an event being run by Decibel Partners, the VC firm. And it's more of a conversation than it is an interview. And yeah, again, like if you tuned in really wanting to get your fix of Tom and the gruck, I apologize that it's me.
This edition of the Between Two Nerds or the Between Two Other Nerds podcast is brought to you by Okta. And my colleague Adam Boileau did a really interesting sponsor interview with them too, which was published on Monday into this RSS feed. And that's about how Okta is pushing into centralized app authorization. So they're trying to do for authorization what they've already done for authentication. And you can find that interview, yeah, a couple of podcasts back in this feed.
So I'll drop you in here where we're talking about some recent Russian attacks against water and sewer infrastructure in the USA and the absolute lack of attention that those attacks are getting. Have we exited the era of hacking as signaling? Here's Andy Boyd sharing some thoughts.
So I don't know if we've exited that era, but adversaries still think they can use that. And the incident that Patrick's talking about is the multiple attacks against water infrastructure, wastewater infrastructure, OT infrastructure, where most people are attributing it to the GRU. Some of this is to signal dissatisfaction with U.S. policy on Ukraine, in particular the recent signature
of the Ukraine aid bill, the $69 billion that was going to the Ukraine. But signaling doesn't work if nobody's paying attention. And as far as I can tell, the latest OT attacks against water infrastructure and the latest one I think was in New Jersey where a cyber attack
OT attack had a physical effect, no one has really noticed. So maybe you're right, we've passed through that era or we're in the infancy of OT attacks and we don't really know how to respond to them. I mean, so I compare, you know, this idea of performing an attack like that, you know, as a type of like state signaling performance art.
These days, I think, say, 10 years ago, that seemed like, OK, cyber, signaling, it's all happening. Whereas these days, it just kind of seems a bit dumb, right? Because I don't think anybody in this room would think that Russia needed to express its dissatisfaction with the United States policy vis-a-vis Ukraine, right? Right. So then we contrast something like that with Vault Typhoon. And I think to the credit of the Five Eyes agencies, they've been really out there talking a lot about it, right?
Which, again, you know, I think that's new. That's relatively new. That's a last decade sort of phenomenon that they talk about this stuff. And it makes a lot of sense when they need a lot of cooperation from infrastructure providers to, you know, deal with the threat. But I guess that's why I keep coming back to that idea of like maybe this, you know, this signaling idea is finally, you know,
being buried where, you know, in the ground where it belongs. But I mean, the two are, you know, comparing apples and bowling balls. I think the whole typhoon is... Well, but that's what I'm saying. That's what I'm saying. Like, this is the stuff we need to worry about, less so the demonstrative, like performative attacks, right? But I do think the Russians either intentionally, you know, probably unintentionally are teaching us a lesson. And I do think once we start unpacking these OT type attacks...
we are going to start focusing on the security and, and, and they may keep trying this juvenile signaling, but, but I don't think it's over per se. I think the impact is going to be minimal compared to Vol typhoon, which was preparation of the battlefield, so to speak, uh,
on critical infrastructure in the event of a cross Taiwan Strait or other PRC-United States conflict. I think Bull Typhoon, as you correctly pointed out, the intelligence community, CISA, and the rest of our Five Eyes partners put an enormous amount of effort, and our private sector partners put an enormous amount of effort into collating both classified and open source intelligence into defending against that. I think eventually we're going to be doing, maybe at a lesser scale, some of the other OT projects
critical infrastructure systems. I mean, surely some of this has got to be like a state culture thing, right? Between the Russians and the Chinese, because we have seen the Russians show a lot of, you know, they've done some stuff that hasn't really achieved any effects, but is big and splashy. You look at their attacks against electricity infrastructure in Ukraine. What was that like 2015-ish? You know, to what end? Nobody seems to know, right? So I guess I'm just
I guess I just think some of this performative stuff is just going to increasingly fade into the background, right, while we're dealing with the really big, scary campaigns, which are clearly not about signaling.
And not about signaling, but again, the last time you and I were on the air together and stealing a point that Rob Joyce always used to make is Russia being a tornado, China being a climate change. You know, similarly, but the Russians still have an enormous amount of cyber capability used in the espionage arena, AP-29 and whatnot. I think that will continue apace at a very sophisticated level.
It's almost as if, frankly, the signaling is a distractor when the real activity from Russians may be happening in other spaces. Well, it's not working because nobody's talking about it except for us here, right? So that's good. So as you mentioned, when you were still at CIA, you came out of Risky Biz, and I didn't realize it had been that long, but it was February 2023. Yes, it was. Which is amazing because that's gone so quick, right? And we spoke a lot about just the general threat environment.
Anytime you talk to anyone in the IC, you know, the countries that always come up, it's always going to be China, Russia, Iran and North Korea, pretty much in that order. And, you know, we spoke a little bit about non-state threats like ransomware and whatnot. I'm curious, though, you know, a year and a bit later, what's changed?
So, I mean, I, I, I think it's continued to evolve. I mean, both typhoon, we started unpacking that. And I think after your show, uh, I mean, you were kind of intimating during that interview that there was something cooking, I guess. I mean, I think the, the coalescing of all the cybers, as you refer to them in the U S government has been quite extraordinary across DHS, the Intel community, uh, DOD, the policy community, state department, uh, net net, uh, an eight fix team. Uh, that has been fairly extraordinary. I,
I do think the next phase, as you know, we're in mid 2024, there's 50 different heads of state election cycles happening across the globe, our own here in the United States. I think, you know, the Russians haven't have been a nuisance, but not a major threat like Wolf Python in the PRC. I think that'll continue to evolve internationally.
in the disinformation space. A lot of the core function of some of the Russian intelligence agencies is disinformation campaigns. Now we're in the epoch of deep fakes. We saw the robocalls, President Biden robocalls before the New Hampshire primary telling people to not show up for the polls. I think that is going to increase and accelerate. And people ask me what my fear is in that space.
It's not that sort of continuous boil of disinformation. It's the disinformation that is very localized, 72 hours, 48 hours out from our November elections, wherein it says the place where you normally vote burnt down. Oh, there's a flood. So the vote's actually going to be tomorrow morning or you can't vote at all. And it takes three, four hundred, five hundred voters off the rolls.
That may happen, and I'm not so certain that despite the coalescing of all the cybers in the United States government, that we have the dexterity to move at that pace. 72 hours, 38 hours. I had a really interesting conversation with Alex Damos and Chris Krebs, which is going to be published into an upcoming podcast soon. Wide world of cyber, our latest thing. So...
The topic was AI, and it was really interesting speaking with Chris, who used to have the responsibility in the US government for election security, just talking to him about what concerns him, particularly around where AI meets disinformation. And one thing that I guess has changed since we last spoke is, you know, China, MSS, known as very capable actors, very capable at intelligence collection, pre-positioning, although I don't think that's MSS, but anyway, pre-positioning for things like Vault Typhoon.
They really appear to be building up a couple of different things at the moment, though, which are, you know, alarming in a different way.
One is influence operations, which in the past when we've seen China try to do it, they weren't very good at it. And that's changing. Every time, like the other day, there was a little bit of drama in the South China Sea between an Australian Air Force helicopter and the Chinese military. And they dropped some flares on the helicopter. You go to any tweet or X or whatever you call it these days.
And look at the replies, and it's clear that a lot of them are pro-Chinese bots, right? And that's quite new. They don't have a trust and safety team there anymore, so they're just running riot. And I think a point Chris or Alex made is that there are so many racers
Oh, hang on. Winding back a second. The second thing that we're seeing out of the Chinese are these really at-scale harassment campaigns targeting critics of the regime all over the world. We see that in Australia. We see it everywhere.
You start to add all of this up, and it starts to look like a bit of a tangible election threat. And the point those guys made to me in that interview is that there are so many races, and you don't need to target the big ones. You can target that congressperson who's very critical of the CCP. You can make their life hell. So you get scale with AI.
I'm convinced the PRC and maybe to a lesser extent the Russians have an intelligence understanding of local congressmen who, to your point, are not going to be able to do anything about it.
Don't don't have a supportive view of the PRC or the Russians to a degree that we don't even know, you know, a major portion of our Congress people. And we'll focus like on that one congressman in Iowa or Wisconsin or Michigan swing states that really matter and do that.
But I do think the defense is in the ascendant on that. I mean, there's a number of companies, even companies represented here at RSA. Reality Defender just won the Sandbox Award there. That's such a dystopian name. Reality Defender. My God, that shouldn't be a product. But defending against deep fakes. I mean, there's other smaller startup companies.
whose whole mission is to pre-bunk, I'd never heard this term before, not to debunk disinformation, but pre-bunk, and getting ahead of the disinformation campaign and state-derived or non-state actors as well. So I do think it's not all doom and gloom. I do think the defense does, you know, have a vote. I mean, I think there's going to be a generational change as well. I mean, you talk to the average 20-year-old and they don't believe anything they see on the internet. So it's really the people who are being...
You know, who are just a little bit too old, right? Often, who get caught up in a lot of that stuff. But even pre-internet, I mean, that was the Russians' goal back to the 20s when, you know, Lenin was still around. It wasn't necessarily shaping minds. It was basically...
Confusing people. Confusing people so that they don't believe anything. I mean, the goal of this disinformation was like, you know, the media, the print media, the televised media, and today's epoch, the internet media, it's all BS. I'm not going to listen to any of it. Yeah. So, look, sticking with those, you know, those four main actors, right, where we got China, Russia, Iran, and North Korea, you know, in the last year and a bit,
What have you seen out of any of them to suggest that they might be changing anything? Has anything changed in terms of scale, technique, focus? I'm not sure if it happened after we were on the podcast, but I was, and I'm saying this not from an advocacy perspective, but I was impressed with how the Iranians use their cyber tools in Albania.
I mean, it was a bit of coercive diplomacy against the Mujahideen al-Hulk, which the Albanian government allowed to hang out there. Does anyone here have that backstory? Because it's actually really interesting. Yeah.
Okay, so, I mean, we probably want to explain the background there, right? So, yeah, the background is the Iranians took down the Albanian government systems for weeks on end. It resulted in a whole lot of folks flying out there from the government and the private sector to fix it. But the Iranians were sending a message like, we are not happy that the Mujahideen al-Haq has safe haven in Albania, and we're not going to bomb Albania, but we're going to do something that is going to be a coercive diplomacy step that will make you change your mind on that, and I think it worked.
I mean, this is coming back to, you know, we started this off saying influence operations are garbage. And now we're talking about, well, that one. Influence and coercive diplomacy are slightly different. Yeah. Yeah. I mean, we should probably explain to the MEK is essentially an Iranian opposition party with some pretty funny ideas of their own who set up. Yeah. I mean, you know, they've set up shop in Albania.
They have their own compound. They do. And are known to engage in some pretty spicy activities of their own, right? So they'd been engaging in attacks against the Iranian government from Albania. So, you know, on one level, you could see why Iran had a reasonable case that this wasn't cool, right? So, which is very... But from a purely analytic perspective, man, I just think it's a very noteworthy
use of cyber tools that, you know, you previously a decade ago, you just wouldn't have been able to do it quite that way. I think the other big change and it perhaps had something to do with the job I was in where I was focused on the big four China, Russia, Iran or Korea. But from a state actor perspective and their threat therein, I kind of downplayed the ransomware threat. And I think that was a mistake.
And I've been speaking publicly quite a bit about where we are in 2024. And I do think it's much more of an existential threat than it had been previously. Frequently, the groups are at least in a dotted line relationship with the state actor, usually with the Russian intel services. But the fact that UnitedHealthcare had to pay, UnitedChangeHealthcare had to pay a $22 million ransom, a lot of people in the media focus on that ransom payment. And the fact that in 2023,
across the United States, we paid over a billion dollars in ransom for ransomware payments. But I think the real story is that the cost for UnitedHealthcare is now north of $1.2 billion. I think that's a conservative estimate because the downstream effects of that, I spoke to CISOs, well, at least one CISO in the medical industry here in the United States when that was all happening. And there were clinics, small hospitals that used a lot of changes, billing services. They couldn't make payroll. Right.
Like, it was a shit show. It was a proper level five shit show. And then you multiply that across, you know, the 16 critical infrastructure sectors that CIS identifies. And it's a major, major issue for our economy. It's a major issue for our national security. And as you've talked about on your show, hospitals and our school systems. I mean, I do think throughout 2024, we're going to focus a great deal more effort and
look to other parts of the cybers and the US government and our partners to apply more aggressive tools to this because we have no other choice. Yeah, now we'll get to that part in a moment, but I just want to ask you, do you think that the threat became more critical or do you think that was the change was within you and how you saw it? Because we'd already seen Colonial Pipeline, JBS Meats, a zillion hospitals, you know, I mean, because I've been banging this drum for years, right? A lot of people in here would know that. So I wonder, like, did it suddenly become more critical or did you just take a fresh look?
I think both. I mean, I took a fresh look, but I also think the UnitedHealthcare change healthcare was, you know, quite a, it wasn't as press worthy, I guess, as Colonial Pipeline. But when you're talking about the payment mechanism at Colonial Pipeline, which was really what that was all about, that is much less of an issue than I think what we had to deal with over weeks on end. And it's still ongoing with UnitedHealthcare. I think it's at a different place. The fact that Americans on the Eastern seaboard filled up plastic bags
with gasoline and put them in their truck, I think said more about Americans than it did about ransomware. Yeah, yeah. Yeah, so we're recording this on the day that LockBitSup, who runs the LockBitRan, the LockBit ransomware operation, was named, charged, and sanctioned.
you know, Western governments had threatened to do that and indeed had a countdown timer. They balked, they blinked, they didn't do it originally and they've done it now. To me, this indicates that they're about to get serious, right? That they're prepared, instead of just doing takedowns and whatever, they're prepared to actually do information operations against these guys, like, you know, more aggressive stuff. Funnily enough, we've seen that out of Australia during COVID. There was a fraud campaign targeting COVID relief payments and that got shut down by ASD,
and a bunch of other agencies, but there was information operation component to that where they went into the dark web, degraded this person's malware, then posed as an angry customer, destroyed his reputation. They blocked this stuff at the telco level. It was largely SMS based as well, but they did a terrific job on that and have spoken about it publicly. More recently, we saw them identify and sanction the person behind the Medibank campaign,
who went to jail a few days later for crimes committed within the Russian Federation. And I wonder if ASD had a role in exposing evidence of said crimes to Russian authorities. I suspect that may be the case. So that to me smells a bit of an information operation, whereas what we've seen coming out of the US government so far has been takedowns more akin to dark web takedowns, which I've always thought was a bit weak source, if I'm going to be honest. What's your thinking on how to best tackle this problem from a...
a, you know, sort of combined law enforcement intelligence, whatever, like whole of government approach? I mean, I think the news today is a leading indicator that the FBI is going to get more aggressive, obviously, with the backing of the Department of Justice and the policy community at the White House. But,
Until we can scale it and we treat the ransomware actors as a, like we've done with counterterrorism where they're what we in the counterterrorism community, we call a fine fix finish issue, an intelligence collection issue where you have to collect the intelligence on locations, the dispositions, the payment mechanisms, the crypto wallets of these actors and dismantle them at a pace and a scale akin to the counterterrorism campaigns. And you,
use all the authorities of the US government, the intel community, not just law enforcement, because we've focused a great deal on law enforcement to date. Once we start doing that, what happened to Lockpit with the operation, what then was released today, will just look like an average Tuesday. Well, that's right. And someone commented, I won't say where, but they commented recently that being the director of operations for Al-Qaeda used to be a really bad job.
Right. Because you would last about 10 minutes in that job because you'd immediately become a target. And it wasn't a job everyone really necessarily wanted to have. Like, congratulations, you've been promoted. You're our new director of operations. It's like, OK, I'll get my affairs in order. And, you know, we need we need something along those lines, don't we? I mean, obviously, we're not going to.
The result won't quite be the same, but certainly I feel like if you get to a point where you're successful either as an affiliate or as a ransomware as a service operator, if you're going to get named, charged, sanctioned, travel banned, you know, I mean, I don't know that each one of those things is a problem. Particularly, even just being named, right? Because all of a sudden, this poor guy, well, I won't call him a poor guy, this LockBitSup guy, they're like, hey, here's his name.
He's got $100 million in Bitcoin. And very quickly, people went to Russian data breaches and they have found and published his home address is all over social media right now. I wonder how many people are currently like as we record this driving to the guy's house with a lead pipe.
to see if they can extract some Bitcoin from him, right? And that's an extraordinary hill for the lawyers to get over. Yes. And the fact that they did, I think, is again a leading indicator of where we're going with this. Well, and that's why, and it's so funny that you said that, because in my conversation with various government officials, they're so concerned around the human rights implications of doing something like this to someone, because you are kind of denying them due process, you're putting them at risk.
Right? I mean, I think it's a bit of a weak argument when you're also indicting them. Like, you know, how else are you going to do it? Sealed indictment? It doesn't make sense. But there has been...
Yeah, a lot of worry, hasn't there, about violating the human rights of ransomware as a service entrepreneurs, which just seems a bit insane, I've got to say. Because I'd like to see that Black Hat and Alpha V had gone against each other because I guess one of them kept the $22 million ransom payment from United and didn't pay off whoever they were supposed to pay off and then went back to United Healthcare and say, no, we need another trial. I think they sorted that out between themselves in the end. But had the personal information of those actors been...
been leaked if we had it, that would have disrupted that entire chain, would have probably saved UnitedHealthcare some money, and disrupted, because the key to the whole fine-fix-finish thing, the finish in the counterterrorism space was
either arresting or killing said terrorists. We're not going to use kinetic authorities either in the military. That's a wonderful U.S. government euphemism, isn't it? Kinetic authorities. Yes. That's great. Against ransomware actors. A, it just wouldn't meet that threshold. B...
They're all in Russia, so that would be like an act of war. So we're just not going to do that. Well, I mean, and government has been concerned, too, that doing this sort of thing might escalate. Right. You know, which, again, I think is a bit of a weak source argument. But just going back to something you said a moment ago, which is that it's the signal for me as well. The fact that they did this, knowing what I know about how nervous the lawyers have been about it,
shows us that there is some actual political will behind solving this problem and i feel like that's kind of new yeah and i absolutely believe there there is political will and the pivot point i think may be the united health care or it could have just been an aggregate of all those incidents but again well it's also the takedowns not having made a substantial dent on the problem as well yeah and then sort of jersey switching and becoming you know and new outfits as well but
The key is disruption, and you don't have to kill the ransomware actors to disrupt them. It might be fun. It may be fun, but if you disrupt their payment mechanisms, their ability to actually do what they're doing as criminals, the infrastructure, will it reconstitute over time? Yes, but then you do it again. Okay, so that's the question, right? Because I think you and I agree on this. Was what we saw today point in time, or is this the beginning of something that's going to be more rolling? Because I feel like it's the latter. I feel like finally...
Years too late. The gloves are coming off. I mean, I haven't had this conversation with the FBI cyber guys, but my assumption based on my knowledge of their thinking is this is just this is the start and this is going to continue. It's going to be a campaign. Yeah. Unlike any campaign like this against a competent adversary, it's two steps up forward, one step back. And we will continue to see groups like Lockbid come come back from the dead. But they never came back.
They didn't. They had the appearance of coming back, but they didn't really. Like, they were recycling old data saying, look, we just owned these guys and they did it two years ago. Yeah, yeah. I mean, I think the best indicator a year from now, if we're having success, is if ransomware actors are no longer doing selfies with their Lamborghinis. Yeah, I think that'll be an indicator we've succeeded. Because...
In the 1990s, terrorists used to do that as well. Hey, here's me with my AK-47. Take a picture of me. And that was probably the last picture they took. So we're going to wrap up the podcast recording here. Andy Boyd, thank you so much for joining me to record this special edition of Between Two Nerds. Yes, and thanks for having me back a second time.
