The Expanding Threat Surface
Podcast episode 49
Former director of Cyber Incident Response for the Government of Canada, Gwen Beauchemin, says the threat surface under 5G is only going to “explode” as the Internet of Things drives the factory of the future and the smart office building. What is the communications service provider to do? Gwen tells our @hainsworthtv that the telecom industry shouldn’t underestimate the state of this new cyberwar.
Below is a transcript of this conversation. Some parts have been edited for clarity.
Michael Hainsworth: Gwen Beauchemin has been in the cyber security game for as long as computers have been networked. The former director of Cyber Incident Response for the Government of Canada says the threat surface under 5G is only going to “explode” as the Internet of Things drives the factory of the future and the smart office building. What is the communications service provider to do? We began our conversation by reviewing a University of Maryland study which concluded a cyberattack is launched every 39 seconds, and every data breach costs an average 3.9-million US dollars. Gwen says it’s a lot worse than that.
Gwen Beauchemin: When I was running the national CCIRC five years ago, there was about 120,000 new threat factors every day. And so I would think that's completely under-reporting. Most networks, if you think that you have not had a cyber attack, it's because you haven't found it. There's more bad traffic than good.
MH: When you say that it's under-reported, you suggest that, in part, it may be because you just don't know you've been hacked yet, but I can also imagine that there is, for lack of a better term, a pride component to this. If an organization had been hacked, they may be reluctant to disclose that.
GB: Oh, certainly, because we don't have a carrot and stick phenomenon going on. We just have all stick. So your IT guy says they've been breached, well, they're bad, you might want to fire them, which would be the worst thing to do because they're the ones who know your network. And then you move up the chain, and you've seen senior C-suite folks get canned after a particularly harsh cyber event.
And so that means that either you have to regulate folks to report, or you have to incentivize somehow, or this is not going to change. You're going to continue to hide if you know and under-represent the impact. You can see now with Colonial, they're not back up yet.
MH: That pipeline system. It sort of feels a little bit like the guy in the zombie movie who got bit, but won't tell anybody about it. That actually long-term does more damage than good.
GB: Absolutely. Now we've always heard that the doctors make the worst patients. IT professionals make the worst people to admit that they've been done over. I still do all my own network IT, even though it's been over 30 years since I've learned it. So yeah, I think it's bad, and it's getting worse. The other problem that is there is a lack of skills. So in my entire time in technology, we've never had enough people nor enough talent to actually make things work. We always have vacancies in our fields. And so that just makes everybody stressed out.
So here, you've got this poor IT guy. And if he says, "Hey, I think we have been hacked," you could get knocked over the head saying, "Bye, thank you very much." And the only reason he's done that is he feels enough trust to tell you, and he's probably working, he or she, sorry, has been working many, many hours beyond capacity for years. We had all kinds of unpaid, just dedicated folks that would stay after their hours all the time without question.
MH: And who are they fighting? You said that if you don't think you've been hacked, it's because you haven't found out yet. Is this largely cyber criminals, or are these nations states that we need to be primarily concerned about?
GB: So I think it's both. We have seen a slow change over the last 20 years, since the internet became commercialized, that criminal gangs or the underground economy has shifted or expanded, in some cases, over to the internet, because it is incredibly easy to get the tools. You can hire the tools. Just like you can have a cloud service provider, you can have a malware service provider to grab the expertise in order to hoover up all kinds of noteworthy, valuable assets. And so it's very easy to do.
On the state side, so that's always a dialogue that happens, and it's quite politically unpopular to say what's going on in that state. We know, it's public knowledge, there are many, many states, including ours, mine, all of North America, that has a cyber defense and cyber security capacity within their government. And so we can't just say, this particular country, is doing some nasty stuff. They are. Nobody's super clean here. We're all doing this. This is the cyber war. It's the cold war moved electronically.
MH: The threat surface is expanding under 5G. What does that the surface look like?
GB: So even today, you know that we probably have all kinds of devices in our home that 10 years ago we didn't have. We've each got a cell phone. We've each got now WiFi connected name the appliance, fridges, stoves, dishwashers, I can't figure it out really.
MH: Why do you need your dishwasher to tell you that it's done doing the dishes?
GB: Right. So it's that annoying bell, but now it's on your phone. So I find we've already over-committed to the number of devices online, but the industry pushes forward to figure out what are the next innovations.
So one can think, you have a heart palpitation, and you used to get a device implanted to make sure that was ticking okay. And they'd go in every decade to see or replace it. Well, now that's connected to an app so they can monitor it. Great for the patient, for the underlying health condition, but that's another vector.
And so you're going to see, with 5G, just the explosion of opportunities. We can hardly imagine. I would think that there'll be sensors in every distance marker on the highway, monitoring road conditions or monitoring speeds or monitoring the snow to see whether it's at a particular degree and what's melting. They can change the type of salt, we have salt up here in Canada, to melt the ice. And all of that could be monitored through all of these devices on a road. And that's just one example.
MH: What's interesting, too, is that one might think that sure, somebody hacked my thermostat or that road sensor, but what's the value in that? Whereas the reality is that's the front door. That's the first level of security that's been breached, and the intent is to work your way into the system from that initial low power, low security, low priority device.
GB: Right. And we've all done the risk assessment against our different pieces of our infrastructure and assigned the relative critical value. And so that road sensor, well, it's low, it's no value. So we might not even monitor it very actively because it's such a low priority in the food chain, but it's all connected.
And so what the criminal gangs and the state actors have been doing very well and expanding exponentially are botnets, and botnets are that they control all of these devices and then will gather them all and then do a dramatic push of information out that has malware in it to take down a particular segment. So when you have an outage, a cloud service provider outage, that's probably been caused by a botnet.
Now we also hear the word of ransomware a lot, and that's just they put a price on it. So instead of just taking it out for takeout's sake, they've said, "Well, I've gotten all your road markers now, and you can have them back, but you have to pay me a million dollars. And I may or may not give them back in its original condition, but you can pay me a million dollars." So the value of them is that they may individually look low value and not critical, but they're all connected. And there are many, many of them, and you want them. Your company wants them to be safe and used in the appropriate manner. And that has value.
MH: You've brought up two very interesting points, one of them being that sure, maybe that road sensor gets hacked. It may not necessarily be an intrusion point into the broader network for whoever owns that IOT device. It can simply be turned around and developed as a zombie that goes off and attacks the rest of the world instead. With that in mind, the ransomware component to it is pretty critical. How significant is it today? And what's your prognostication as to how much bigger it's expected to get in the coming years as we make this major shift into industry 4.0 and we have more of these types of devices out there?
GB: Yeah. It's quite concerning. And I think we're seeing examples, or we're hearing examples of where companies are paying ransom. And up until fairly recently, say the last five years ago, the ransomware came in and it was maybe $30,000, and the behavior was very honorable. You'd pay the 30,000, they'd unlock your files, and away you'd go.
The most recent ones we've seen, the value of the ransom is far higher. The intrusion, the number of devices that are impacted is far higher. And in fact, they're not good behaviors. So when you pay the ransom, they may or may not release those files, or they may release them, but it's a lot of work. It's inevitable that this is going to get worse.
So it was strange. It was a strange behavior that they actually honored the deal of the ransom and that you paid it. Show me a movie where that happens. So they're now moving into the more traditional realm of piracy, and I think that will continue and explode.
MH: So how should a CSP address the security implications of the bring-your-own-device phenomenon, which was a hard road to travel for an enterprise in the first place to suddenly say, "Okay, fine, we'll let you bring your own devices." There was a definite positive to that, but at the same time, it introduced substantial new problems. How does a CSP, which is connected to that enterprise that has all those devices, address that kind of security implication?
GB: Well, we've seen some solutions, and unfortunately they either limit the use of the bring-your-own devices into the day-to-day operations, or they take over the particular device and impose the company's security profile on it while you're on prem. Both of those are stop gaps in order to protect the company's environment. I think it's going to be very difficult unless you had a seamless supply chain.
So the phones that you would say are allowed are the same, operated by the same telephone operator as the company has as the cloud, like maybe align so that you could then have the same security policies running through that array of levels. That's the only way I can see it working.
This is not sustainable. You may have saved a few bucks by allowing your employees to bring their phones, and you've raised morale because now the employee has one device rather than two. But I just don't see how you can seamlessly have that kind of risk brought into your enterprise everyday and then go home, and home networks aren't secure. So what in fact are you doing? You'd have to have the ecosystem much more blended.
And so that would be offering your employees to have home internet plans by an approved supplier rather than another one that would be lower quality, supposed lower quality or not even aligned. Those are the means in which you could probably move forward on this. You'd have to incentivize the changing of the phone as soon as it became out of date and the patching was no longer level. There's a lot of complexity to that, and it would mean, I think, disappointment in both the employee side and the employer side of how the devices cannot be seamlessly put into your infrastructure.
MH: I know as we look into the 5G infrastructure, just all the various levels of it, unlike 4G, 5G now ring fences its system with security protocols at every step of the way. Again, the idea that you might be able to get in the front door, but you're not going to get up to the first floor or the second floor or the third floor because there are continuous of checks and balances associated with that. But that also creates a remarkable explosion of alerts for any IT professional to attend to. So it seems artificial intelligence is stepping up to act as the network security guard.
GB: Absolutely. And that was inevitable. If you're going to have an explosion of devices, you can't manage it with having four people sitting in front of these mega screens watching for red flashes that come up.
MH: That's a movie analogy, right?
MH: The red lights flashing, that doesn't happen.
GB: Well, it still does, but it should be at a completely different threshold. It's not every alert. It's when there's a systemic alert that needs some human eyes on it. So all you've done is taken those routine tasks and put a layer of intelligence there, because it needs to be able to ingest the knowledge of what the new 120,000 daily threats are to your infrastructure. It needs to be able to assess what the relative protections are and test the scenarios so that you know whether you can say that your network is good to go, green.
The security operations center of a company, in the past, has been dealing with those elementary things. And when your password expired, all of those things, those can be automated. If it's repeatable, it's automated. And if it's a repeatable, but enhanced, so something changes slightly, then that's the AI portion that it learns how to shift as the changes of the instructions are.
That all needs to be removed from that network operator job. Because again, we have scarce skills. We don't have enough of them. They're very expensive people, and there's a whole lot of other higher element work that needs to happen. To look at patterns, to look at threat factors, to study the algorithms of that program, the AI, that's where we need to put the emphasis rather than the task of just whack a moling these particular threats.
MH: In 2020, 33% of all infections in mobile networks came from IOT devices. And as we move to industry 4.0 and industrial IOT, you said that the CSP would never keep its head above water looking at customers as suspect.
GB: It’s not the customer themselves that's suspect. It's the data and the instructions to that data and where it's moving. And so you really need to take every data packet and encrypt it so that it's secure, and data in motion and data at rest need to be encrypted end-to-end. And so therefore it's a protected seal. And so you are protected. The cloud service provider is protected because you're putting a seal around the information or the instruction in order to get from A to B.
So the risk doesn't transfer then to the cloud. It remains back at the enterprise. If the information and instructions within that data at rest and data at transfer have been hacked or malicious, it stays within that enterprise. Because one could imagine you're going to have thousands of customers at the cloud service provider level, the last thing you need is all of these new threats coming in from your particular clients. So you really have to make sure it's layered.
And as you said it, 5G has all of these layers of protection within. So it's going down to protecting the particular piece of information rather than entire infrastructure. And assuming that within that infrastructure, it's all safe, that's an impossibility. So you go down to the smallest nugget and protect that.
MH: So we're told to design for security. What do those core principles look like?
GB: So it's monitoring all of those patterns, so that anything beyond a particular error mode would be alerted. And everything within, you'll know that you've got a pretty good chance that it's going in the right place. It's still saying the same thing, and the people able to interact with that piece of information are the right people.
So go down to that rather than the whole system has 100,000 users, you know that there's 12 people, 12 roles that have access to that information to do a particular instruction. So you can understand that as far more the rules engine towards managing this data are incredibly complex.
MH: It sounds like what you were suggesting was packet sniffing, something that would be necessary to be able to tell what is in that data packet that's moving across a network. To your point, data in motion needs to be encrypted. How do we sniff into that, first of all, particularly if it's encrypted, and second and perhaps just as important, if not more, maintain the privacy of the customer?
GB: Right. So that's back to what I mentioned about perhaps you don't actually sniff the data inside the packet. There's always an envelope that's sealed that you don't get into, and so you're looking at the seal. And we see this in physical security, that when you're looking at how governments protect information, there's always the document, then an inner envelope, then an outer envelope, and there's different information in each one. And so what is the information that cloud service provider needs in order to restore that data? I don't need to know the details. I know that sealed envelope is still going from A to B, and that's the right places that sealed envelope can go. That's in my instruction set. Good to go. I don't need to get further in.
MH: So in all of your years in internet and corporate security, are you at all optimistic that we're winning this war?
GB: Well, I think we're keeping up, because the computing power is still expanding at a remarkable rate. The telecommunications world we live in is expanding. We can't hardly even imagine what life was like 10 years ago. And so when I started, it was mainframes without any internet. I had a 300 baud modem. And so the risk was very, very low because it only went as fast as 300 baud, which was 30 words a minute.
MH: And worst-case scenario you just unplugged it from the phone.
GB: Exactly. So yes, it can seem overwhelming, and how would we ever keep pace? But that's human nature. We are driven towards keeping pace. We are driven towards managing our infrastructure in a way, same as any physical world issues. We got rid of acid rain in the Great Lakes. We are working towards carbon capture for all of our industry. We'll figure it out, but we have to have, I think, folks looking at the long-term to see where the horizon is going.
I'm involved a little bit in the Quantum-Safe Canada initiative, which is for quantum encryption. Those are the things that need to proceed. We need all of our researchers working for what will the internet need to protect itself in a normal evolution over the next 20, 30 years. Those conversations are happening, and they need to continue to happen.