WEBVTT 1 00:00:00.000 --> 00:00:02.190 Anna Delaney: Hello, I'm Anna Delaney and thanks for joining 2 00:00:02.190 --> 00:00:05.580 us for the ISMG Editors' Panel, which does exactly what it says 3 00:00:05.580 --> 00:00:09.660 on the tin. ISMG editors meet on a panel to discuss the week's 4 00:00:09.660 --> 00:00:13.380 top cybersecurity news, interviews and trends. I'm very 5 00:00:13.380 --> 00:00:16.440 pleased to be joined this week by Marianne Kolbasuk McGee, 6 00:00:16.530 --> 00:00:19.380 executive editor of HealthcareInfoSecurity, and 7 00:00:19.380 --> 00:00:22.470 Mathew Schwartz, executive editor of DataBreachToday and 8 00:00:22.470 --> 00:00:24.510 Europe. Really good to see you both. 9 00:00:25.260 --> 00:00:26.430 Marianne McGee: Hi, Anna. Hi, Matt. 10 00:00:26.850 --> 00:00:28.740 Mathew Schwartz: It's great to be here. I didn't get the water 11 00:00:28.740 --> 00:00:30.600 memo. I feel a little left out. 12 00:00:30.990 --> 00:00:34.440 Anna Delaney: I know. I know you didn't, but I can't wait to hear 13 00:00:34.440 --> 00:00:38.160 about your background, Matt. Tell us more. I think I know 14 00:00:38.190 --> 00:00:38.760 actually. 15 00:00:39.120 --> 00:00:42.030 Mathew Schwartz: Yes. Well, you may have heard discussed before. 16 00:00:42.030 --> 00:00:46.050 It's everyone's favorite museum in Dundee, the V&A, the Victoria 17 00:00:46.050 --> 00:00:49.950 and Albert design and fashion museum. It's a lovely edifice, 18 00:00:50.160 --> 00:00:52.350 is difficult to photograph. It's been a kind of personal 19 00:00:52.350 --> 00:00:55.560 obsession to try to figure out how to get this caption on film. 20 00:00:55.770 --> 00:00:59.670 And here, you can see just the cut through there to the river. 21 00:00:59.700 --> 00:01:03.030 So there is some water, I forgot. It's in this image so I 22 00:01:03.030 --> 00:01:04.260 don't feel so left out anymore. 23 00:01:04.860 --> 00:01:07.320 Anna Delaney: What I find incredible is comparing it to 24 00:01:07.320 --> 00:01:14.340 the London V&A, because London's building is quite ornate and I 25 00:01:14.340 --> 00:01:17.310 don't want to put a date on it. But let's just say it's old 26 00:01:17.310 --> 00:01:21.540 architecture and very beautiful. This is quirky and modern. It's 27 00:01:21.540 --> 00:01:24.300 quite a contrast. But you will have to come when you're in 28 00:01:24.300 --> 00:01:29.520 London. Marianne, you did get the water memo. So tell us more. 29 00:01:29.970 --> 00:01:32.910 Marianne McGee: Yeah. I took this when we, my husband and I, 30 00:01:32.910 --> 00:01:37.260 were in Hilton Head, South Carolina, back in October. And 31 00:01:37.260 --> 00:01:43.710 as peaceful as this looks, there are alligators in this lagoon, 32 00:01:43.710 --> 00:01:45.570 and there's like signs everywhere saying, "Watch out 33 00:01:45.570 --> 00:01:47.730 for the alligators." So I thought it was appropriate 34 00:01:47.730 --> 00:01:49.740 because it's kind of like cybersecurity. Think you're 35 00:01:49.740 --> 00:01:51.720 having a good day, and then all of a sudden, there's an 36 00:01:51.720 --> 00:01:52.350 alligator. 37 00:01:52.470 --> 00:01:55.560 Anna Delaney: There's a bite. Yeah, very good analogy. Well, 38 00:01:55.560 --> 00:01:59.460 I'm at Painshill Park, not far from where I grew up. And it's 39 00:01:59.460 --> 00:02:04.320 an 18th century landscape garden with plenty of grottoes and, you 40 00:02:04.320 --> 00:02:08.010 know, water wheel and a vineyard so it's gorgeous. And yeah, 41 00:02:08.040 --> 00:02:10.560 well, I love it for its pure tranquility. You know, I'll get 42 00:02:10.590 --> 00:02:11.910 alligators or crocodiles here. 43 00:02:13.710 --> 00:02:14.580 Mathew Schwartz: Just swans. 44 00:02:15.090 --> 00:02:20.400 Anna Delaney: Just swans. Quite violent at times. So I suppose 45 00:02:20.850 --> 00:02:26.970 like cybersecurity. Well, Matt, cheerful news again this week, 46 00:02:26.970 --> 00:02:31.020 perhaps. You've written that the FBI and international partners 47 00:02:31.020 --> 00:02:34.440 have announced the takedown of Hive infrastructure. Now, Hive, 48 00:02:34.440 --> 00:02:37.830 of course, one of the world's most prolific ransomware groups. 49 00:02:37.860 --> 00:02:42.030 And it's an interesting case because it seems an example of 50 00:02:42.060 --> 00:02:45.690 offensive ops. So pack in the hackers. Tell us more. 51 00:02:46.530 --> 00:02:49.530 Mathew Schwartz: Yeah, I know. Any kind of disruption is really 52 00:02:49.530 --> 00:02:53.100 good news. Lots to be celebrated there. So last week, on 53 00:02:53.100 --> 00:02:57.840 Wednesday, apparently, Hive's sites went dark. So you can get 54 00:02:57.840 --> 00:03:02.310 to its sites via Tor based while using Tor. So they were Tor 55 00:03:02.310 --> 00:03:06.000 anonymizing web browser sites, .onion sites. They went dark. 56 00:03:06.270 --> 00:03:11.520 So, Thursday morning, the FBI and German and Dutch law 57 00:03:11.520 --> 00:03:15.660 enforcement revealed that they had been working together and 58 00:03:15.660 --> 00:03:20.220 had infiltrated Hive. So, truth is stranger than fiction 59 00:03:20.220 --> 00:03:23.550 sometimes, or at least, you know, just as thrilling as your 60 00:03:23.550 --> 00:03:29.820 average Tom Cruise movie. Here we have, July 2022, and somehow, 61 00:03:29.880 --> 00:03:33.870 law enforcement agents gain access to Hive's infrastructure. 62 00:03:34.230 --> 00:03:39.870 So they begin quietly passing decryption keys - I love this - 63 00:03:39.960 --> 00:03:45.930 to over 330 victims. Now, the Department of Justice says these 64 00:03:45.930 --> 00:03:50.730 efforts prevented more than what would have been $130 million in 65 00:03:50.730 --> 00:03:55.080 ransom payments being made by these victims, had they chosen 66 00:03:55.200 --> 00:04:00.570 to pay. So this is great. We've got this Hive ransomware group 67 00:04:00.600 --> 00:04:04.470 being probably, didn't know what was going on for a while. We 68 00:04:04.470 --> 00:04:07.830 know the infrastructure, or I should say, new samples of Hive 69 00:04:07.860 --> 00:04:10.770 stopped appearing apparently a couple of weeks before they take 70 00:04:10.770 --> 00:04:13.680 down. That's what Group-IB, cybersecurity firm, has 71 00:04:13.680 --> 00:04:17.130 reported. It's not clear. That's because the FBI started getting 72 00:04:17.130 --> 00:04:21.360 a little bit more offensive in this disruption or if HIVE maybe 73 00:04:21.360 --> 00:04:23.970 had a clue that something was wrong because their revenues 74 00:04:23.970 --> 00:04:29.100 weren't looking real great since middle of 2022, not clear what 75 00:04:29.100 --> 00:04:34.080 happened. But at the moment, Hive has gone dark. So, like I 76 00:04:34.080 --> 00:04:38.550 said, this is something to be celebrated. Not to be a party 77 00:04:38.550 --> 00:04:42.120 pooper, but I also did ask security experts. Do you think 78 00:04:42.120 --> 00:04:46.170 this is going to stick or do you think we could see Hive 2.0 or, 79 00:04:46.260 --> 00:04:50.070 you know, the son of Hive, the swarm stings back? Who knows 80 00:04:50.070 --> 00:04:53.880 what they'll come up with? We've seen this before. REvil aka 81 00:04:53.880 --> 00:04:58.320 Sodinokibi got disrupted and rebooted at least a couple of 82 00:04:58.320 --> 00:05:05.940 times, DarkSide, Colonial Pipeline, got into a bit of 83 00:05:05.940 --> 00:05:10.410 bother with the geopolitical ramifications of that, and so 84 00:05:10.410 --> 00:05:13.770 announced that it would be shutting down operations, but to 85 00:05:13.800 --> 00:05:19.530 reboot it as BlackMatter and then as BlackHat. Same again 86 00:05:19.530 --> 00:05:23.790 with Conti, it retired the brand after it disastrously backed 87 00:05:23.820 --> 00:05:28.590 Russia's invasion of Ukraine. And that angered a lot of 88 00:05:28.590 --> 00:05:31.380 people. It's awesome, it's day to get leads, there's various 89 00:05:31.380 --> 00:05:35.130 other soap opera type stuff. But what the operators did was they 90 00:05:35.130 --> 00:05:38.100 quietly spun off other operations under new names, and 91 00:05:38.100 --> 00:05:40.980 then made a big splash about retiring, having already started 92 00:05:40.980 --> 00:05:44.880 up other operations. So what this gets to is that the profits 93 00:05:44.880 --> 00:05:48.780 from ransomware are still formidable. We've talked about 94 00:05:48.780 --> 00:05:52.140 how the number of attacks doesn't seem to be going down. 95 00:05:52.560 --> 00:05:55.290 And that's a concern, of course, for victims. Even victims, you 96 00:05:55.290 --> 00:05:58.440 get a free decrypter, I mean literally, a free decrypter 97 00:05:58.440 --> 00:06:01.080 because the FBI comes and says, "we're here to help you. Here's 98 00:06:01.080 --> 00:06:04.260 the decrypter." And you say, "thank you so much." That's 99 00:06:04.260 --> 00:06:06.780 good. But the trouble is your systems is still being 100 00:06:06.810 --> 00:06:10.950 disrupted. I've broken somehow. So there's going to be a lot of 101 00:06:10.950 --> 00:06:16.020 time, effort, focus on getting everything cleaned up and 102 00:06:16.050 --> 00:06:20.130 restored. That's not an instantaneous sort of endeavor. 103 00:06:20.250 --> 00:06:24.120 So, for victims, the pain is still real. The good news is 104 00:06:24.120 --> 00:06:28.380 we've seen the number of victims paying ransom go down over the 105 00:06:28.380 --> 00:06:31.560 last three or four months. We've seen that based on blockchain 106 00:06:31.560 --> 00:06:34.920 payments, also anecdotal evidence from firms that help 107 00:06:35.070 --> 00:06:38.910 ransomware victims. So we've got some really great trends here. 108 00:06:39.690 --> 00:06:42.930 Fewer organizations are paying, less money is going to 109 00:06:42.930 --> 00:06:47.790 ransomware gangs, we have infiltration of Hive, which, 110 00:06:48.090 --> 00:06:51.750 aside from being a pain for Hive, hopefully from a 111 00:06:51.750 --> 00:06:56.130 psychological operations perspective, sowed the seeds of 112 00:06:56.130 --> 00:06:59.730 doubt and confusion, not just for the core members of Hive, 113 00:06:59.880 --> 00:07:03.390 but for anyone who was working with them. The feds will have 114 00:07:03.390 --> 00:07:06.330 been working overtime to get these people to reveal their 115 00:07:06.330 --> 00:07:09.540 identity. And unfortunately, a lot of them will be in or around 116 00:07:09.540 --> 00:07:14.340 Russia, which doesn't extradite its citizens. So as long as they 117 00:07:14.430 --> 00:07:19.380 keep their vacation plans restricted, i.e. Russia, they 118 00:07:19.380 --> 00:07:22.980 should be okay. If they travel abroad and the FBI or its 119 00:07:22.980 --> 00:07:25.530 international law enforcement partners knows who they are, 120 00:07:25.650 --> 00:07:28.590 then their final destination might not be under their 121 00:07:28.590 --> 00:07:33.690 control. So, as I said, a lot of these people are operating in 122 00:07:33.690 --> 00:07:35.730 and around Russia, we're not going to be able to lock them 123 00:07:35.730 --> 00:07:39.360 up. The next best thing is to disrupt their operations, make 124 00:07:39.360 --> 00:07:42.750 it more costly, help victims, which is what's being done so 125 00:07:42.750 --> 00:07:47.490 that fewer want to pay, making their operations more costly. So 126 00:07:47.520 --> 00:07:51.300 this is positive news that we have here is at the end of Hive, 127 00:07:51.300 --> 00:07:54.420 is the ransomware business model going to topple and die? I don't 128 00:07:54.420 --> 00:07:57.990 think so, unfortunately. But like I said, any good news is to 129 00:07:57.990 --> 00:07:58.710 be celebrated. 130 00:07:59.520 --> 00:08:01.170 Anna Delaney: Just following on for that, that was an excellent 131 00:08:01.170 --> 00:08:05.280 summary. Some people might say, "There haven't been any arrests. 132 00:08:05.280 --> 00:08:09.060 So will it make a difference?" You say, "Well, okay, it'll make 133 00:08:09.330 --> 00:08:12.390 operations more costly." Or is that not really the point here? 134 00:08:13.590 --> 00:08:16.470 Mathew Schwartz: I think adding any amount of costs, and it 135 00:08:16.470 --> 00:08:19.980 doesn't just need to be arrests, but Hive will be spending or 136 00:08:19.980 --> 00:08:21.930 will have been spending a certain amount of money to try 137 00:08:21.930 --> 00:08:26.850 to amass victims. And that's just draining out unbeknownst to 138 00:08:26.850 --> 00:08:30.720 them, because their infrastructure got hit, law 139 00:08:30.720 --> 00:08:33.300 enforcement, possibly U.S. intelligence, who knows, and 140 00:08:33.300 --> 00:08:36.900 others were coming at them. So I do think making it more costly 141 00:08:36.900 --> 00:08:40.620 is a good thing. It's not going to cause change overnight. But 142 00:08:40.620 --> 00:08:44.100 if you can drive attackers, because you have a lot of 143 00:08:44.100 --> 00:08:47.430 interest here in hitting people online, ransomware is just one 144 00:08:47.430 --> 00:08:50.190 of the possible tools. It would be wonderful, though, if we 145 00:08:50.190 --> 00:08:54.060 could drive people to not use ransomware, the disruption it 146 00:08:54.060 --> 00:08:57.210 causes, the fallout, the national security implications, 147 00:08:57.240 --> 00:09:01.650 the health sector repercussions, as Marianne writes about. So you 148 00:09:01.650 --> 00:09:04.560 know, unfortunately, it has been documenting, has had the 149 00:09:04.560 --> 00:09:08.160 documents so frequently, because it's so frequent. Those are 150 00:09:08.160 --> 00:09:11.880 huge. So if there was other kinds of attacks, obviously we 151 00:09:11.880 --> 00:09:14.580 don't want to promote cybercrime. But if ransomware 152 00:09:14.580 --> 00:09:19.200 could go away, it would be a lot better for everybody. So 153 00:09:19.260 --> 00:09:22.410 hopefully criminals are being nudged in that direction. It's 154 00:09:22.410 --> 00:09:25.950 such a great moneymaker, though, for them, unfortunately, that 155 00:09:25.950 --> 00:09:28.560 it's going to take a lot of pushing to get them somewhere to 156 00:09:28.560 --> 00:09:29.610 a different place. 157 00:09:30.690 --> 00:09:32.610 Anna Delaney: Though, as you said, it might not be the end of 158 00:09:32.610 --> 00:09:37.680 Hive, but perhaps a little bite out of the ransomware ecosystem 159 00:09:37.680 --> 00:09:38.100 apple. 160 00:09:38.460 --> 00:09:40.080 Mathew Schwartz: A wee sting, perhaps. 161 00:09:40.950 --> 00:09:44.640 Anna Delaney: Even better. So Marianne, on less good news this 162 00:09:44.640 --> 00:09:47.670 week, you've reported that the U.S. government and industry 163 00:09:47.670 --> 00:09:50.940 authorities are warning the healthcare sector of a surge of 164 00:09:50.940 --> 00:09:55.200 DDoS attacks in recent days gets hospitals. Can you fill us in? 165 00:09:55.500 --> 00:09:59.640 Marianne McGee: Sure, on that kind of Russian theme, on 166 00:09:59.670 --> 00:10:03.030 Monday, there were reports that about a dozen hospitals and 167 00:10:03.030 --> 00:10:06.630 healthcare entities, mostly in the U.S., but then also in 168 00:10:06.630 --> 00:10:10.890 Europe, there were some hit with denial of service attacks by 169 00:10:10.950 --> 00:10:15.240 KillNet. And the attacks reportedly disrupted these 170 00:10:15.240 --> 00:10:18.990 organizations, websites and patient portals in some cases. 171 00:10:19.710 --> 00:10:22.710 And as you mentioned, authorities including the 172 00:10:22.710 --> 00:10:26.250 Department of Health and Human Services in the U.S., and the 173 00:10:26.790 --> 00:10:30.840 industry group, the American Hospital Association, quickly 174 00:10:30.840 --> 00:10:35.100 issued alerts for the healthcare sector. And by Tuesday, 175 00:10:35.100 --> 00:10:37.830 fortunately, when it goes back to this good news, bad news sort 176 00:10:37.830 --> 00:10:40.620 of thing, by Tuesday, it appeared that most of the 177 00:10:40.620 --> 00:10:44.730 hospitals in the U.S. that had been reportedly hit with these 178 00:10:44.730 --> 00:10:49.620 DDoS attacks had recovered their websites. Behind the scenes, I 179 00:10:49.620 --> 00:10:52.500 don't know if they're still cleaning up. But for the public 180 00:10:52.500 --> 00:10:57.210 facing, the websites seem to be working again. Now, one of the 181 00:10:57.210 --> 00:11:02.220 organizations that were hit told me on background that it did not 182 00:11:02.220 --> 00:11:05.340 take too long to restore services. But the incident was 183 00:11:05.340 --> 00:11:09.600 again yet the latest reminder of these assorted cyber threats 184 00:11:09.930 --> 00:11:13.620 that healthcare continues to face, including ransomware. And 185 00:11:13.620 --> 00:11:19.440 while these DDoS attacks were somewhat less disruptive, and 186 00:11:19.470 --> 00:11:24.660 more quickly recoverable than we see often with ransomware, for 187 00:11:24.660 --> 00:11:27.840 the healthcare sector, it's just one more thing that they really 188 00:11:27.840 --> 00:11:31.410 don't have the resources and time to deal with. They are 189 00:11:31.410 --> 00:11:35.610 still contending with ransomware threats, but other cybersecurity 190 00:11:35.610 --> 00:11:41.340 issues, as well as non-security issues ranging from serious 191 00:11:41.370 --> 00:11:47.130 staffing shortages to sort of the run on flu and still COVID 192 00:11:47.130 --> 00:11:51.120 cases and the virus that affects children, the respiratory virus 193 00:11:51.120 --> 00:11:53.790 that is getting a lot of kids hospitalized. So there's so many 194 00:11:53.790 --> 00:11:56.100 things that they're dealing with. They just don't need this 195 00:11:56.100 --> 00:12:01.410 right now. That all brings me to a conversation that I had the 196 00:12:01.410 --> 00:12:05.640 other day with U.S. Senator Mark Warner, a Democrat from 197 00:12:05.640 --> 00:12:10.110 Virginia. Warner is also the chair of the Senate Intelligence 198 00:12:10.110 --> 00:12:14.430 Committee. He says that he's very much aware of the cyber 199 00:12:14.430 --> 00:12:19.200 challenges that the healthcare sector is facing. And ultimately 200 00:12:19.200 --> 00:12:24.840 he sees this as a major patient safety problem. Warner is 201 00:12:24.840 --> 00:12:28.710 working on legislation that he hopes to introduce sometime this 202 00:12:28.710 --> 00:12:32.040 year that would address some of the healthcare sector 203 00:12:32.040 --> 00:12:36.960 cybersecurity challenges. That includes the inconsistency of 204 00:12:36.960 --> 00:12:42.030 cybersecurity maturity, among entities, and perhaps the 205 00:12:42.030 --> 00:12:45.720 possibility of a program that's more carrots than sticks, he 206 00:12:45.720 --> 00:12:50.130 says, that would encourage entities to apply a certain 207 00:12:50.460 --> 00:12:55.020 level of minimum security practices. But before going 208 00:12:55.020 --> 00:12:59.490 ahead with that legislation, he's trying to work with some of 209 00:12:59.490 --> 00:13:03.000 his bipartisan colleagues. Republicans often don't like 210 00:13:03.000 --> 00:13:07.110 anything that sort of rings them being mandatory, but they do 211 00:13:07.110 --> 00:13:11.700 realize the threats that this healthcare sector is facing. So 212 00:13:11.700 --> 00:13:16.620 he's trying to work perhaps some bipartisan legislation that 213 00:13:16.620 --> 00:13:20.250 could be introduced this year, either sort of bite size 214 00:13:20.250 --> 00:13:23.700 provisions that might be part of other legislation, or perhaps, a 215 00:13:23.700 --> 00:13:28.320 larger bill that is focused on healthcare sector, 216 00:13:28.380 --> 00:13:32.070 cybersecurity, so we'll see what happens - good news, bad news. 217 00:13:32.700 --> 00:13:35.580 Anna Delaney: Yeah, for sure. And going back to KillNet, what 218 00:13:35.580 --> 00:13:38.220 do we know about their style of operating? 219 00:13:39.990 --> 00:13:43.920 Marianne McGee: Well, from what I understand, what I'm told by 220 00:13:43.920 --> 00:13:47.880 is that they - KillNet seems to be a little more amateurish 221 00:13:47.880 --> 00:13:53.040 compared to other groups that we've seen. But, you know, the 222 00:13:53.040 --> 00:13:55.680 thing that I thought was interesting in hearing about 223 00:13:55.680 --> 00:13:59.100 what was going on this week, and then also, that source that was 224 00:14:00.060 --> 00:14:03.060 at an organization that was hit, saying that they were able to 225 00:14:03.060 --> 00:14:07.140 restore things pretty quickly. I don't know if that's because it 226 00:14:07.140 --> 00:14:11.460 kind of reflects the level of, or maybe lack of, sophistication 227 00:14:11.460 --> 00:14:15.930 of KillNet, but I do know that there have been previous DDoS 228 00:14:15.960 --> 00:14:20.520 attacks on the healthcare sector that have not been so easy to 229 00:14:20.520 --> 00:14:26.280 recover from, and you know, that goes back to 2014. There was a 230 00:14:26.550 --> 00:14:31.530 kind of a high-profile child custody case in Boston and 231 00:14:32.160 --> 00:14:36.570 members of the hacker group Anonymous launched a DDoS attack 232 00:14:36.570 --> 00:14:40.170 on Boston Children's Hospital and another care facility that 233 00:14:40.170 --> 00:14:43.920 was sort of involved with the controversy. And not only did it 234 00:14:43.920 --> 00:14:49.080 knock out Boston Children's Hospital's systems for a few 235 00:14:49.080 --> 00:14:53.280 weeks, it also disrupted internet connectivity, among 236 00:14:53.280 --> 00:14:57.420 other Boston area hospitals, so it had like a major effect. And 237 00:14:57.420 --> 00:15:00.480 then going back to the theme about bringing these hackers to 238 00:15:00.480 --> 00:15:05.310 justice, the hacker that was responsible for that DDoS attack 239 00:15:05.310 --> 00:15:08.580 on Boston Children's Hospital was actually prosecuted and 240 00:15:08.580 --> 00:15:12.630 received a 10-year federal sentence. But he was from 241 00:15:12.630 --> 00:15:15.300 Massachusetts domestic. He didn't have to, you know, try to 242 00:15:15.300 --> 00:15:19.410 get somebody to come back from Russia. There was none of that. 243 00:15:19.410 --> 00:15:22.680 Yeah, he was here. They prosecuted him. And that was it. 244 00:15:24.210 --> 00:15:26.790 Mathew Schwartz: I think KillNet and linking it with Anonymous 245 00:15:26.820 --> 00:15:30.750 there, what I've been hearing is that that is a great link. 246 00:15:30.990 --> 00:15:33.930 Because just as Anonymous, Anonymous says they're going to 247 00:15:33.930 --> 00:15:37.620 come get you. You mentioned the hospital example. But so often, 248 00:15:37.620 --> 00:15:42.570 it's hot air, or it's more about the publicity and less about the 249 00:15:42.570 --> 00:15:45.150 hacking smarts. It's more amateur. And what I've been 250 00:15:45.150 --> 00:15:49.650 hearing is that KillNet is much the same. Some security experts 251 00:15:49.650 --> 00:15:52.200 saying, "Look, if you ignore them, they probably go away." 252 00:15:52.800 --> 00:15:57.600 People who have been in the telegram channels that these pro 253 00:15:57.600 --> 00:16:01.740 Kremlin KillNet participants participate in, a lot of them 254 00:16:01.740 --> 00:16:05.220 are saying, "Oh, this news outlet's written about how we've 255 00:16:05.220 --> 00:16:09.270 threatened so and so," or they say, "They're coming for so and 256 00:16:09.270 --> 00:16:12.660 so over here." And of course, anybody can rent DDoS attack 257 00:16:12.660 --> 00:16:15.900 time these days. And then they've got this badge on top of 258 00:16:15.900 --> 00:16:20.100 it, where it's called KillNet. But like Marianne says, it does 259 00:16:20.100 --> 00:16:23.220 seem to be pretty amateur. And it's one of these tricky 260 00:16:23.220 --> 00:16:26.910 problems of people who know what's going on. But that also 261 00:16:26.910 --> 00:16:29.730 gives it some of the oxygen it needs to sustain itself. So 262 00:16:30.060 --> 00:16:31.800 hopefully, it'll burn out. Hopefully, they'll run out of 263 00:16:31.800 --> 00:16:35.460 money before too long and can't pay these other DDoS services to 264 00:16:36.030 --> 00:16:37.530 increase their public profile. 265 00:16:38.460 --> 00:16:40.080 Marianne McGee: Yeah, and then other thing experts are saying, 266 00:16:40.080 --> 00:16:42.960 they're kind of - the KillNet group is kind of stirred up 267 00:16:42.960 --> 00:16:46.560 right now, because of the military equipment that's being 268 00:16:46.560 --> 00:16:50.370 shipped to Ukraine by NATO countries. And it just kind of 269 00:16:51.150 --> 00:16:54.360 riles them up. So let's hit some hospitals. 270 00:16:55.140 --> 00:16:58.380 Anna Delaney: Though perhaps more irritation than danger, but 271 00:16:58.380 --> 00:17:02.700 still a good reminder to focus on these defenses for healthcare 272 00:17:02.700 --> 00:17:06.270 organizations. Well, that's great, Marianne, thank you. 273 00:17:06.270 --> 00:17:09.420 Well, I'd like to share some interesting findings from an 274 00:17:09.420 --> 00:17:13.380 interview I conducted last week with James Lee of the Identity 275 00:17:13.380 --> 00:17:17.310 Theft Resource Center. And as you both know, the ITRC 276 00:17:17.520 --> 00:17:21.330 publishes an annual data breach report, and their latest one 277 00:17:21.330 --> 00:17:27.150 looks at data from the U.S. in 2022. So which reveals a near 278 00:17:27.150 --> 00:17:30.390 record number of compromises, the second highest number since 279 00:17:30.390 --> 00:17:34.500 they began 17 years ago. But most interesting and alarming 280 00:17:34.500 --> 00:17:39.480 for me was something that James Lee labeled as a very troubling 281 00:17:39.480 --> 00:17:43.200 trend. And this is a sudden lack of transparency, and important 282 00:17:43.200 --> 00:17:47.100 details in data breach notifications, which, of course, 283 00:17:47.100 --> 00:17:51.210 creates more risk for consumers. And the information that's 284 00:17:51.210 --> 00:17:53.430 missing is practically everything. Information about 285 00:17:53.430 --> 00:17:56.520 the attack, how it happened, what was the result of the 286 00:17:56.520 --> 00:18:01.320 attack, and what has been done to prevent future attacks. So 287 00:18:01.350 --> 00:18:05.430 James told me that up until last year, virtually 100% of every 288 00:18:05.430 --> 00:18:10.140 breach notice included that information. Now, they're seeing 289 00:18:10.590 --> 00:18:14.280 only 58% provide that information. So that's a huge 290 00:18:14.310 --> 00:18:17.460 decline in a year. And I asked him what he thought might be 291 00:18:17.460 --> 00:18:20.670 behind this. And he said, "It's something that they're going to 292 00:18:20.670 --> 00:18:23.940 look into further this year." But essentially, according to 293 00:18:24.000 --> 00:18:28.290 U.S. law, if there's no actual harm to an individual from a 294 00:18:28.290 --> 00:18:32.550 data breach, they cannot sue in the federal court system. So 295 00:18:32.550 --> 00:18:34.890 businesses are withholding this information, because they're not 296 00:18:34.890 --> 00:18:40.050 legally required to do so. And, of course, it's bad PR for them, 297 00:18:40.050 --> 00:18:44.310 too. So why would they? James says this needs to change 298 00:18:44.310 --> 00:18:47.010 because it seems that we're going backwards not forwards. 299 00:18:47.310 --> 00:18:50.700 And he suggests that the U.S. should look to the EU, which 300 00:18:50.760 --> 00:18:54.840 states that a notice should be made in conjunction with a data 301 00:18:55.020 --> 00:18:58.170 protection authority. So I found that quite alarming. And I know 302 00:18:58.170 --> 00:19:02.130 Matt, you've studied these reports year after year. I 303 00:19:02.130 --> 00:19:04.620 wonder if that stood out for you or anything else, perhaps? 304 00:19:05.550 --> 00:19:07.350 Mathew Schwartz: Yes, Anna. I've been tracking data breaches 305 00:19:07.350 --> 00:19:12.090 really closely since California passed this pioneering state 306 00:19:12.090 --> 00:19:17.400 data breach notification rule back in, I think 2003-2004. And 307 00:19:17.430 --> 00:19:20.820 I thought data breaches might have been solved at some point 308 00:19:20.820 --> 00:19:24.090 along the way. I've been disabused of that notion now for 309 00:19:24.090 --> 00:19:26.640 a while, unfortunately, because they keep getting bigger and 310 00:19:26.640 --> 00:19:30.720 bigger. And so it's really alarming to me that the ITRC is 311 00:19:30.720 --> 00:19:34.650 seeing less and less information. Because this is 312 00:19:34.650 --> 00:19:37.770 used by other victims or potential victims, I should say, 313 00:19:37.770 --> 00:19:41.850 to prevent becoming a victim. They can see what's happened and 314 00:19:41.910 --> 00:19:45.510 move to bolster their own systems, like with Equifax. 315 00:19:45.540 --> 00:19:48.720 Imagine if none of that had become public, for example. It's 316 00:19:48.720 --> 00:19:52.110 also used by victims. The big intention of state database 317 00:19:52.110 --> 00:19:56.370 notifications is to empower consumers to say, "Look, 318 00:19:56.400 --> 00:19:58.440 somebody might have your information. They might be 319 00:19:58.650 --> 00:20:01.650 opening a bank account in your name," or whatever. When they 320 00:20:01.650 --> 00:20:04.470 might be hitting you with phishing attacks, "be aware, 321 00:20:04.560 --> 00:20:08.070 look at your statements." So these businesses that have 322 00:20:08.070 --> 00:20:11.730 mishandled your personal details, say, "Oh, by the way, 323 00:20:11.880 --> 00:20:15.240 we messed up. And now we've left you holding the bag here, you 324 00:20:15.240 --> 00:20:19.830 might experience in fraud." I wish the states had something 325 00:20:19.830 --> 00:20:23.040 like GDPR, where everyone's right to have their personal 326 00:20:23.040 --> 00:20:27.420 data protected. It's a right, I should say. And there are severe 327 00:20:27.420 --> 00:20:31.350 repercussions if you violate that trust, that right. As 328 00:20:31.350 --> 00:20:33.930 Marianne was saying before, there are some in Congress, 329 00:20:33.930 --> 00:20:36.900 though, that don't want anything perceived to be mandatory. And 330 00:20:36.900 --> 00:20:40.920 so, we've got state laws, which are pretty much, with a couple 331 00:20:40.920 --> 00:20:47.010 of exceptions, at least, pretty much alerts or notification as 332 00:20:47.010 --> 00:20:49.470 to what I'm looking for, they are notification requirements, 333 00:20:49.620 --> 00:20:54.510 say, "sorry, we've screwed up. You may experience fraud," as 334 00:20:54.510 --> 00:20:57.150 opposed to Europe where "Oh, we've screwed up. And in the 335 00:20:57.150 --> 00:21:00.180 worst case, somebody might go to jail, slightly better case, 336 00:21:00.180 --> 00:21:02.220 we're going to pay a lot of money." So very different 337 00:21:02.220 --> 00:21:05.460 systems. Something needs to change, though. Because if 338 00:21:05.490 --> 00:21:08.340 companies are going to spin these breaches, and get away 339 00:21:08.460 --> 00:21:12.870 with not alerting victims, not counting the victims is another 340 00:21:12.870 --> 00:21:16.380 thing that ITRC said. So it's the second highest that we know 341 00:21:16.380 --> 00:21:20.370 about in terms of victims, but like you say, if only 58% have 342 00:21:20.370 --> 00:21:25.080 this information, maybe things are even more horrible than we 343 00:21:25.080 --> 00:21:28.050 understand. So huge problem. I don't know what's going to 344 00:21:28.050 --> 00:21:30.150 change. But hopefully, we'll see some states rewriting their 345 00:21:30.150 --> 00:21:30.720 laws. 346 00:21:31.740 --> 00:21:34.980 Marianne McGee: I'm just going to chime in about in the U.S., 347 00:21:36.090 --> 00:21:39.660 as much as people criticize HIPAA, you know, it's outdated, 348 00:21:39.930 --> 00:21:44.280 this and that. One good thing that it has is the requirement 349 00:21:44.280 --> 00:21:47.850 for organizations that have had breaches that affect 500 or more 350 00:21:47.850 --> 00:21:51.060 individuals, to report it to the Department of Health and Human 351 00:21:51.060 --> 00:21:56.100 Services. And then Department of Health and Human Services have 352 00:21:56.100 --> 00:22:00.420 this mandatory requirement as part of legislation that was 353 00:22:00.420 --> 00:22:03.810 signed into law years ago to post these on a public website. 354 00:22:04.050 --> 00:22:07.890 So you can go there, you can see who reported these breaches 355 00:22:07.890 --> 00:22:10.650 affecting 500 or more individuals, how many people 356 00:22:10.650 --> 00:22:13.560 were affected, you know, the breach notification letters they 357 00:22:13.560 --> 00:22:17.850 send out have to have certain minimum details. But the 358 00:22:17.850 --> 00:22:20.850 loophole here for organizations that do report these breaches 359 00:22:20.850 --> 00:22:25.140 is, and I'm not going to name them, but I can think of many 360 00:22:25.140 --> 00:22:28.020 organizations that I know that have had giant breaches, but 361 00:22:28.020 --> 00:22:32.310 they report them as affecting 500. They know it's thousands, 362 00:22:32.340 --> 00:22:35.730 maybe it's millions, but they say it's 500, they submit the 363 00:22:35.730 --> 00:22:39.690 bid, they report to HHS, you know, under that 60-day 364 00:22:39.720 --> 00:22:43.050 reporting deadline, they've got it in there. And then this thing 365 00:22:43.050 --> 00:22:46.500 stays posted on the public website looking like it only 366 00:22:46.500 --> 00:22:50.100 affected 500 people. But actually, it was many, many more 367 00:22:50.100 --> 00:22:54.930 and it's not updated. So it's kind of like bait and switch in 368 00:22:54.930 --> 00:22:55.620 some ways. 369 00:22:55.800 --> 00:22:56.880 Mathew Schwartz: Gaming the system. 370 00:22:58.140 --> 00:23:02.730 Anna Delaney: Always a loophole. Well, speaking of games, our 371 00:23:02.730 --> 00:23:07.260 last question is around games and amusement parks. So you've 372 00:23:07.260 --> 00:23:10.350 been tasked with creating a cybersecurity themed amusement 373 00:23:10.350 --> 00:23:12.030 park. What would you call it? 374 00:23:14.340 --> 00:23:16.320 Marianne McGee: Mine's pretty lame: Hacker World. 375 00:23:17.370 --> 00:23:19.380 Anna Delaney: That's not lame. I would go. 376 00:23:21.240 --> 00:23:23.460 Mathew Schwartz: Great graphics. Great iconography. That's 377 00:23:23.460 --> 00:23:29.400 beautiful. My advanced persistent on, I say 'Military 378 00:23:29.430 --> 00:23:30.270 Grade Amusement.' 379 00:23:31.590 --> 00:23:35.850 Anna Delaney: That's very good. And well, mine is 'Pirates of 380 00:23:35.850 --> 00:23:40.470 the Internet.' More lame, I think. But aka Scammers Island 381 00:23:40.470 --> 00:23:45.960 and your mission is to reclaim the treasure from the scammers 382 00:23:45.960 --> 00:23:48.570 and it would be obviously a perilous journey with plenty of 383 00:23:48.570 --> 00:23:54.090 bugs and fish and whales. Got that. But it would be worth it, 384 00:23:54.090 --> 00:23:58.020 of course, all those risks. Well, thank you very much for 385 00:23:58.020 --> 00:24:02.700 that fun days of creativity at the end. And thank you so much 386 00:24:02.700 --> 00:24:05.040 for your insight, as always. Thank you. 387 00:24:05.160 --> 00:24:06.690 Mathew Schwartz: Thanks for having us. Have us back 388 00:24:06.690 --> 00:24:07.230 sometime. 389 00:24:08.460 --> 00:24:11.310 Anna Delaney: Soon. Thank you. And thanks so much for watching. 390 00:24:11.370 --> 00:24:12.240 Until next time.