To: Interested Parties
From: Trusted Future Team
Re: What We Learned at the Munich Security Conference and Since the Russian Invasion of Ukraine
Date: March 3, 2022
A senior delegation from Trusted Future traveled to Germany for the Munich Security Conference. We hosted a dinner at the conference site on Friday, February 18th featuring high-level European and American security, intelligence, law enforcement, and telecommunications industry officials. Trusted Future Senior Advisor Adm. Michael S. Rogers and Executive Director Ken Gude attended the dinner, while Co-Chair Adam Golodner also participated in the three-day conference and met with numerous top security officials from Europe and the United States.
Cybersecurity was a high priority for the conference participants, which was only amplified by the then-impending Russian invasion of Ukraine. Speaking at a cybersecurity event on the eve of the main conference, Deputy Attorney General Lisa Monaco warned that due to Russia’s past actions and the potential for greater cyber risks surrounding the Ukraine invasion, “companies of any size and of all sizes would be foolish not to be preparing right now as we speak… They need to be as we say, ‘shields up’ and to be really on the most heightened level of alert that they can be and taking all necessary precautions.”
Our four main takeaways from our discussions during the conference are described briefly here and in more detail below. In addition to the robust conversation during the dinner and throughout the conference on these subjects, there was a strong desire by our European counterparts for Trusted Future to engage in further discussions in Europe on these issues. The bottom line is that all of us need to be elevating our cybersecurity precautions right now.
- Security needs to be at the core of any new technology investment, policy, or program as a forethought, and not an afterthought. It’s not something that can be tacked on at the end without potentially exposing systems to unnecessary risks.
- Everyone should follow basic cyber hygiene practices to reduce the risk of penetration. These comparatively simple steps can protect users and enterprises from many common cyber attacks.
- Security needs to be built into systems from the beginning so it just works. User action, either by being tricked into letting down defenses or simple errors, is the primary driver of cyber intrusions. Individual employees or device owners should not have to be their own Chief Information Security Officer.
- The digital ecosystem does not recognize political or geographic boundaries. As a result, policy or regulatory frameworks in one country or region can negatively impact cyber security across the globe.
As the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of “the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine,” it is abundantly clear that everyone must raise the level of their cyber defenses and protections.
Putting Security at the Core
Ensuring that security is placed at the core of any new activities-–whether that is the manufacturing or purchasing of a personal computer or mobile device, the establishment of an enterprise network, or the adoption of a new legal or regulatory framework—was one of the primary themes to emerge from the Trusted Future-hosted dinner. The participants were current or former senior practitioners in cybersecurity, intelligence, or law enforcement, and had direct experience dealing with cybersecurity threats.
Hardware manufacturers and software developers need to ensure their products are designed with high security standards. Individuals should include security considerations when assessing which products to buy. Businesses must emphasize security when setting up their internal networks. And policymakers must analyze the security implications at the outset when considering any major changes to the policy or regulatory framework that governs the digital ecosystem.
One former senior official who has had roles in defensive and offensive cyber operations provided first-hand experience on the need to place security at the core of decisions across the digital ecosystem. He said that it was practically impossible to plug all the holes to defend an actor, network, or system that didn’t prioritize security and that when he had his offensive hat on, he and his operators would rub their hands together when they discovered their target didn’t place security at the core of their systems.
We don’t want Russian cyber operators to be rubbing their hands at the prospect of targeting networks during this current crisis or in the future – especially given that a previous Russian use of ransomware initially targeted against Ukraine called NotPetya ended up creating significant harm for major businesses as it spread around the globe.
Follow Basic Cyber Hygiene Practices
Echoing Deputy Attorney General Monaco’s warning, adopting basic cyber hygiene practices was frequently discussed during our dinner and throughout the conference. One of the first public resources that Trusted Future created is a fact sheet on the simple steps that anyone can take to Practice Good Cyber Hygiene. These types of practices are replicated around the globe, from CISA’s Cyber Lessons to New Zealand’s guidelines for keeping your mobile phone safe and secure. Russia and other nation state actors have very sophisticated offensive cyber capabilities, but the reality is they often don’t even need them when users and enterprises employ lax security practices.
Take for example the Colonial Pipeline ransomware attack in 2021 that disrupted gasoline distribution throughout the Middle Atlantic region of the United States. The enterprise side of the network was penetrated following the acquisition of login credentials for a network that did not require multi-factor authentication, and because the enterprise side was down, Colonial determined they could not properly operate the pipeline side of the business. Another ongoing situation affecting users across Europe, North America, and the Pacific Rim is the FluBot malware campaign using banking trojan malware that steals login credentials and other financial information. It penetrates devices by inducing users to click on a text message link that downloads an app that overlays a screen on the login page for banking apps.
Following the basic cyber hygiene practices of using multi-factor authentication likely would have prevented the Colonial Pipeline ransomware incident, and only clicking on trusted links or downloading apps from official apps stores would have thwarted an attempted FluBot malware exploit. We need users everywhere to follow these comparatively simple steps that can defeat many of the most common types of cyber attacks.
Security Baked In
Following good cyber hygiene is essential, but individuals should not always have to be their own Chief Information Security Officer. The systems and devices that businesses and users acquire should have a level of security built into them by design that just works without requiring complex input or answering confusing questions from the user. Even security features that allow for them to be switched on or off elevate the risk of a cyber intrusion.
The urgent need for security to be baked into systems from the beginning was highlighted by one dinner participant who was himself a former hacker and is now a senior advisor to a major global telecommunications company. He said the greatest cybersecurity risk exists in the space between the user’s hand and the keyboard or device. That’s because most cyber intrusions result from user action, either being tricked into letting the malicious actor into the system or on to the device or a user error or mistake that lets the bad guys in. One analysis of data breaches reported to the U.K. Information Commissioner’s Office in 2019 found that 90% resulted from user action.
A particularly insidious example is the FluBot malware activity referenced above, which has evolved to capitalize on the publicity surrounding it to pose as a security update designed specifically to protect against the FluBot itself. It induces the user to disable a security feature designed to prevent app downloads from outside of official app stores, thus allowing the malware onto the device when it otherwise would be prevented from downloading. Devices that bake this protection into the design, removing the cyber risk that exists between the user’s hand and the device, are completely protected from FluBot.
We know the Russians utilize psychologists and neuroscientists to design specific social engineering techniques targeting individuals that would make the FluBot technique seem like child’s play. Secure by design devices and systems are better equipped to deal with these sophisticated social engineering attacks.
The Digital Ecosystem Does Not Recognize Political or Geographic Boundaries
The digital ecosystem is not constrained by the political or geographic boundaries that have traditionally regulated the flow of commerce, the exchange of ideas, or the barriers of security. We now hold technology in the palms of our hands that allows us to instantly connect with practically anyone, anywhere in the world. We can open a corner store on the global marketplace. This certainly creates enormous positive potential for populations that have not enjoyed the same benefits of the global system to use modern technology leap forward into a future that appeared unattainable just a generation ago.
At the same time, however, this interconnectedness creates interdependence. Commercial technology products are built once and sold globally. This means that policy and regulatory frameworks that adversely impact the security of products in one country or region can have an impact across the planet. This underscores the importance of all actors in that ecosystem prioritizing security and the necessity of engagement in technology policy debates wherever they are happening.
The 2021 Munich Security Conference highlighted that the state of global cybersecurity remains a top concern for world leaders. Now is the time for all actors in the digital ecosystem to place security at the core of any new decisions related to technology, follow good cyber hygiene practices, and bake security into hardware and software.