[01:50] Hitting the Hot Stuff: Cyber War Playbook

Rachael: We've got Jill Aitoro, the Senior Vice President of Content Strategy at Cyber Risk Alliance, joining us again. Jill, welcome back.

Jill: I'm excited to be back. I know this makes me biased, but this is the most fun podcast that I do.

Rachael: There's always so much to talk about, that's what makes it so fun. But I do want to kick off and just say, congratulations on the awesome reporting you guys are doing over at SC Media. I just can't say enough good things about it. It's my favorite go-to read. You guys are always hitting the hot stuff and it's such great reporting and Joe, we're a huge fan of him. He's hilarious. I follow his Twitter.

Eric: We had him on the show. So for anybody who wants to know, SC Daily Scan is a daily email that'll drop in your box. I get it every morning at 6:00 AM, I think.

Jill: 6:00 AM, you got it.

Eric: I read it, it's the beginning of my day. It is outstanding. It's not your normal daily brief if you would, but it's all about cybersecurity and it's awesome.

Jill: We have an awesome team, I say it all the time. We built it out over the last couple of years. They're great and we have it covered well. I'm hoping we grow it even bigger, but we're doing well with this group so far.

Eric: You don't do a weekly summary or anything do you? It's Monday through Friday, six in the morning.

New Introductions

Jill: It's Monday through Friday. I like that actually. We're talking about new introductions in terms of newsletters. Right now, it's daily. What we publish every day is The Daily Scan. Then, we have a weekly threat Intel and cybercrime newsletter. We have a weekly cloud newsletter and a weekly government focusing on the federal government newsletter. Then we have weekly healthcare and weekly finance.

We have an alert, where it's basically like, this is big news. We're going to shoot you an email in the middle of the day, whenever the news broke and make sure you get it. That's what we have now, but we have more emerging. We're talking about doing a leadership newsletter.

In terms of workforce, careers, and leadership, we do talk about something like a round-up. I don't want to go too much, but in my former job, we had what was called The Early Bird and it was for the defense community. We had all of our content, but we also had everybody else's content, so that it was a single read of everything you could possibly want. I would love to do something like that inside, but all focused on cyber.

Eric: I also read The Early Bird every day. In the morning, 6:00 to 6:30, that's when I do my scanning and those are two, The Early Bird and The Cyber Wire, which I know maybe a competitor. I read that on Saturdays before I go and work out.

Jill: Yes, there's great content.

Eric: I do like, the weekly scan. You do have some great writers. It's enjoyable to read and it keeps me up to speed before I get my day going.

The World's First Cyber War Playbook

Rachael: Let's hit on a really hot topic that's still on the news, Ukraine. A lot going on there. On a previous podcast, we were talking about the world's first cyber war being in the thick of that are Ukraine and Russia, but also as it spills over into other areas.
There was an interesting development in Microsoft getting involved recently. I would love for you to share a bit more of that with our listeners. Are we poking the bear here with Microsoft jumping in the fray?

Jill: Yes. Microsoft basically has done this before in terms of proactively going in, grabbing certain domains that are tied to ransomware gangs. It’s almost what you call burying them in a server, so they can't infiltrate technology. It is interesting and significant. They've done this repeatedly with this particular group is known as fancy, very generally speaking. It's significant, but as I mentioned, I feel like this is sort of where we are in cyber response.

The proactive big measures are necessary, especially when you're talking about cyber espionage, ransomware gangs tied to nation-states, and so forth. Microsoft did it for their own vulnerability if you really think about it. With Microsoft exchange server, whenever that was, now, it seems like years so long ago. But working with the FBI to go in and proactively remove vulnerabilities from systems in the private sector, was a bold move, too.

Everyone thought that was going to be controversial. I feel like this is the best that private companies can do without doing true offensive security tactics. Which I think, generally speaking, everybody frowns upon. They'll pop back up, that's what these groups do.

A Cat and Mouse Game

Jill: There's a big response. They go quiet or all NATO nations get involved, they go quiet and they pop up with a different name. It's a cat and mouse game. 

Eric: What we're talking about here is APT28 Fancy Bear was targeting Ukrainian media organizations. Microsoft took seven of their internet domains offline, which they've done before. I think they probably have a script to just create new domains and move the operation laterally. It would be so easy.

Jill: In terms of poking the bear scenario, what I have found inspiring is the cyber community at large. Microsoft can go big and do something like this and work with law enforcement. We've seen a lot of pretty bold moves from the cybersecurity community. Right from the get-go, there were companies that were offering free software and services to Ukrainian enterprises. Some were kind of supporting the government.

There has been an influx of companies standing up and saying, "No, we're getting involved." I think Microsoft can go a little bolder because of the resources and the relationships they have. But I think that's appropriate. I think a lot of groups are getting involved and going right to the line of what can be done in this situation. It's kind of cool.

Eric: I always wonder when the domains disappear. Does the adversary complain to Microsoft, “You took my domains offline”? Do they just go away and move? Or do they just shift because they are guilty of, let's just call them not-so-pleasant operations? Do they just move or do they actually file a formal complaint, if they were legitimate?

Jill: It's funny you say that because we've done a lot of reporting in terms of some of the larger ransomware gangs.

[08:43] Professional Operation

Jill: They’re truly functioning like a business and operate even in terms of the attacks and the forms they give you. Here's what's next. It's like a very professional operation, customer service. I wouldn't be surprised if they were just like, come on, you're infringing upon our operation here.

Eric: Dimitri, go and file a report with Microsoft. You've got this one, bring us back online.

Jill: Yes, absolutely. I wouldn't be surprised.

Eric: I'm expecting more of the same. Microsoft will continue to play whack amole, not a bad thing to do. But I'm expecting they'll move laterally and continue on APT28 Fancy Bear, which is the Russian military intelligence, the GRU. Reportedly, they've been in operation for a long time. They've been doing this a long time and I suspect they will keep doing it for a much longer time.
Jill: Yes, it's Russia's approach. I think that the groups go about this with the expectation that there'll be a response to some degree. They have pulled it off for many years, so it'll keep happening. Will the companies get bolder in what they do? I don't know, we'll see. It's been interesting to watch what Microsoft and other companies have done in terms of partnership with law enforcement and the FBI and the justice department.

It happened before, but I feel like we're seeing it more often. Whether that's because Russia and certain groups and cybercrime groups are becoming more bold, so it's demanding a bolder response or it’s just that we're getting better at it, I don't know.

Eric: I think one of the things we'll see or we are seeing is the enhancement of that public, private partnership, the relationships.

Better Information Sharing About the Cyber War Playbook

Eric: Who do I work with at the FBI and who do I talk to at DHS? I know we're seeing that. Four or five years ago, it was a mess. There were an infinite number of contacts. The information-sharing was a disaster. Now we've got the JCDC, we have a few systems set up today that allow for better information sharing. As the adversary does get bolder, I do think we'll be quicker. Will we ever get ahead of them? Not my prediction. I do think we'll be quicker

Jill: I think of Solar Wind. We talked about that last time I was on. It’s amazing how much has happened since. I think it was a wake-up call in terms of cooperation because it ended up very encouraging when you look at what FireEye, Microsoft, and the government were doing together. But I think, in the beginning, it was a little segment in terms of response and what we are hearing and who it was coming from. I feel like it's come a long way since then, but there's still a long way to go. The government always has the problem of, should we share this? Can we share this? I think they air on reluctance more often than they need to. We'll see.

Eric: I could tell you some stories. I can't, I'd love to share on just how long it takes to declassify something that the commercial industry already has. The answer is forever, in many cases. You just can't do it. It's like, I have it right here in commercial databases and it's ridiculous. I gave you the information, to begin with. Yes, but it's classified on our side. It's a nightmare. Definitely an inhibitor.

Volunteer Cyber Army

Jill: Always has been, for sure. Not just in cyber, but across government.

Rachael: On that theme, one of the things I'm really fascinated about, is the volunteer cyber army aspect of things that are happening here. How do you turn that on and off? You can't really manage a 200-person volunteer cyber army, regardless of which side they're on. I also know like this whole spillover thing, trying to walk that, everything's about this fine line. It’s fascinating to me and now we're hearing, article five, this rapid response force for NATO. But is any of this going to get triggered? We talk about it, but I don't think anyone wants to cross the line.

Jill: No. The talk of article five has been going on for years. I feel like I remember reporting on it when I think it first came out, but I don't remember what year it was. It was first noted, and it was a big deal, it's like, okay, this is relevant. Before this war, there was another war in Ukraine with Russia that brought involved cyber tactics and Estonia. This is not new, we've actually seen this before.

NATO is very careful in the phrasing, and they say, it's got to be serious. What Stoltenberg came out and said on Twitter, I believe was, "A serious cyber-attack could trigger article five. It has to be where an attack against one ally is treated as an attack against all." But there are a lot of ifs there, what is a serious cyber-attack? They even question how you define a cyber-attack. So, it's very wishy-washy.

The Cyber War Playbook Needs a Framework and a Structure

Jill: I feel like for it to really push forward, there's going to need to be more of a framework and a structure around these definitions because it's a bold move. Right now, I don't feel like it has the standards in place to really get moved forward. You have to remember, too, that this would involve all NATO nations in theory, backing this. That's always hard to do in any water time. Deciding to go forward and respond to this as an act of war has ramifications on many countries, not just the one being attacked.

Eric: I think it's a very slippery slope, Rachael. It scares the hell out of me. Where do you draw that line? I feel like the line keeps inching back. As the adversary gets bolder, as the NATO nations get bolder even. But where do you draw that line? And when you draw that line, are you ready for the consequences?

Jill: Before article five would kick in, I think there need to be major improvements in terms of collaborative efforts to counter the threat. They came out with this rapid response group, which is great, but let's be honest, it's going to be led by the US. It's mainly going to be financed by the US and it's going to involve companies. I don't say that as the US is running everything in NATO. That was stated that the US is going to really take the lead. 

I think there are a lot of disjointed standards for cyber response in different countries within NATO and beyond NATO, in terms of our allies.

[16:01] The Cyber War Playbook Needs a Convergence

Jill: I do believe there needs to be, to some degree, a convergence of those so that there's a playbook and how maybe not to go offensively, but how to respond. When these countries' allies are attacked, what is the instinctive response from NATO as a whole and from the countries themselves? That, too, isn't in place yet.

Eric: Right, but what type of attack? Is network probing, disinformation, or taking a system temporarily offline, an attack? Was it McAfee years ago and something like 80% of all internet traffic was routed through China for a couple of minutes or hours, I don't even remember. Like, is that an attack? How do you draw the line? Then how do you get however many NATO nations there are, engaged and involved and in agreement and alignment?

Jill: When many of them don't have the resources to necessarily do what some of the larger countries with more money can put behind this. The other problem is, you get a lot of these small NATO nations and they're like, "We would love to do that. We don't have the resources." You're going to provide the resources to do that, which is a challenge. But yes, defining what is a cyber-attack and then also being able to trace it back truly to being an act coming from an enemy nation-state. They're really good about being able to claim, "No, we had nothing to do with this."

Eric: The attribution problem.

Jill: Yes. You have ransomware groups that are generally protected by Moscow. But whether we are linking them directly, that's different. It's challenging.

A Cyber-Attack on Lithuania

Eric: There are threats right now around Lithuania being attacked. Imagine a cyber-attack on Lithuania. Now you have the large NATO nations, US, UK, Germany, whatever, if we have a line that's drawn and we cross it, now we've got to support tiny Lithuania. I'm not saying that's a good or a bad thing, but it's very quick to be drawn in. You can see in Ukraine is where mostly kinetic here, physical attacks, you can see how carefully, I think, both sides are not to escalate this outside of that area of operations. You can't attack US artillery.

Jill: They're good at dancing that line in everything, in terms of what can I do?

Eric: And push it, exactly.

Jill: Yes. How far can I go? Lithuania is tricky because remember Ukraine is not technically a NATO nation, that's the other thing to keep in mind. So, it is tricky because you support one and they're going to expect you to support many. That’s where those standards come in. Where it's like, "Okay, but what? What are we defining as crossing the line?" They haven't done that yet, that still has to happen.

Rachael: I'm always fascinated by the duplicity happening in the cyber world. While one thing's happening over here, there's another thing happening over here and maybe you're not going to notice that China's doing a little micro-targeting there. I believe it's a rare earth mining company. It’s really fascinating and also scary, the micro-targeting on social media. It ties into a lot of bigger themes in the news today, which you should probably know.

Rare Earths

Rachael: I would love for you to break this down a little bit more for our listeners. I think our brains can't take all of it in at the same time.

Jill: No, totally. I used to get made fun of, it was a couple of jobs ago because I wrote about Rare Earths, like on a regular occasion. And I remember my colleagues being like, "Do we need to write about Rare Earths again?" But in terms of technology, it's amazing like how influential this is. Basically, those metals that are used in technology development at the very base components very often and China has dominated and really supplied about, I think, usually what I see is at least 80% of the production, including in the United States.

There's been a big push in recent years. The Defense department has utilized Rare Earths from China, very inappropriately. There's a big push to manage that, find different sources, and develop sources domestically, which has a lot of benefits. But China's coming in recently. To your point, Rachael, launching this disinformation campaign on social media. What's interesting about it is they're basically going in and playing on fears. As I said, a lot of people don't necessarily understand what Rare Earths are and what the production in the United States would be.

They're bringing this up, playing the lack of knowledge and the fear factor on that. Talking about whether or not it's going to bring radioactive contamination and these sorts of scenarios. On social media, the general population is reading that concerns grow. It's interesting, like in some ways disinformation has been happening for so long. We obviously saw it in the election and it had a big impact on the election.

Pushing and Nudging the Cyber War Playbook Forward

Jill: But this is a little different where for the election, it was playing on a divide that already existed without question. It was pushing and nudging that forward.

This one, it's playing on fears. Then, it's creating people who have a lack of understanding of something and making a fear factor associated with that. This could impact efforts, it could make companies suddenly unable to grow and to be able to create this production line for the United States. So it is interesting. It's a little bit of a different tactic that we're seeing.

Eric: I think your sense of following rare earth, despite the poking fun at you, is right on. I was doing some research prior to the podcast and in the nineties, the Chinese really undercut pricing to the point where most of the rest of the world got out of rare earth mining. So they cornered the market. There's a precedent here and these are materials.

Jill: They cornered the market before we realized how dependent we were on the market.

Eric: Then, we became more and more dependent. So, seeing from disinformation, the micro-targeting effort falls in line with a multi-decade strategy to really dominate in that space and control it.

Jill: It does connect, even our reason for trying to pull away from China is also a cybersecurity story. We talked about supply chain threats; these Rare Earths that are coming out of China are used in electronics for computer chips. This is at the very basis of the technology supply chain. So that's where really, it's not just disinformation because they want to dominate a market.

[23:39] A Market They're Not Allowed to Dominate

Jill: This is a market where we can't allow them to dominate because it introduces so many threats into the supply chain. So it's an interesting story.

Eric: We're not even talking about lithium and some of the battery-type materials that we need in massive volumes as we go to EVs, we're talking about really rare components.

Jill: Yes, we don't have the capability at this point in time to even create domestically. That's what we're trying to address.

Rachael: It's China and their efforts to gain IP for the national benefit and the correlation to how many Chinese companies are really getting stacked on the Fortune 500 list, as well. That increases year over year, it gets pretty significant as they have these exploits, it's been fascinating to track.

Jill: It's also funny because it does demonstrate the different threats. When you look at Russia versus China, both are certainly significant threats from cyber as well as global competition. Or I shouldn't say that, they're both cyber threats. 

China is a significant threat from a global competitive standpoint. The Defense Department has come out with full-on strategies on how we can respond to that to make sure that we win in that area. Whereas Russia, they're not going to necessarily from an economic standpoint dominate. But they are bold and they're trying to overtake from a geopolitical standpoint. So it's two different threats really, which is interesting.

Eric: I think China is larger. This week, we had Chris Wray, the FBI director and Ken McCallum, the MI5 Chief in the UK get together. Chris said, "It's the Chinese government that poses the biggest long-term threat to our economic and national security."

The Sly Theft of IP

Eric: Yes. It's that sly theft of IP, whether it's the entrance to the Chinese market where you've got a partner or having a Chinese company lead your initiative. Or Chinese individuals in schools and universities and organizations in the rest of the world, where they have access to that material and they can export it.

Jill: Yes, they can export it. They dominate in terms of trade partnerships and various regions of the world that are really important to the United States. It's not like a country that to some degree is universally seen as an adversary. That's not the case for China. So, it becomes challenging as the United States wants to make sure to not be cut off from other areas of the world.

Rachael: Just as a total sidebar. I just got on TikTok for the first time, like two weeks ago.

Jill: You're done for.

Rachael: I've lost hours. No more Twitter doom scrolling. Now I'm on TikTok and the algorithm figured out I like dog videos somehow. I don't understand the point of TikTok, but I'm fascinated by it. Like I still can't look away.

Jill: I know, I can't either. I do not even have a TikTok account, but I have two kids, so they love TikTok videos. It's everywhere.

Rachael: And the time people put into creating these videos and I'm like, "Why?"

Eric: It's Chinese-owned.

Rachael: That's what I'm saying. They want to turn on TikTok. It's like social media heroin, like, I need my fix.

Eric: Jill, we're not putting the podcast on TikTok. You have my commitment. As long as I'm alive, that's not happening.

A Story of Globalism

Jill: It's been interesting to watch, but it is a story of globalism, for lack of a better way to put it. What is China doing and what aren't they doing? Whether or not TikTok has taken the precautions needed in terms of where they have servers, we all know how the internet and digital capabilities work. They can certainly access this information if they want to. It's a matter of how sensitive that information is, who knows? But yes, it's been an ongoing story, this has been for a number of years.

Rachael: With that, everyone, we are going to leave you with a cliffhanger for this week. Be sure to join us next week for part two with Jill Aitoro, where we really dive into the privacy conversation making the media headlines right now, you won't want to miss it. Big thanks to Jill Aitoro for joining us. I can't wait until next week's episode. As always, please be sure to subscribe. You get a fresh episode right in your email inbox every single Tuesday. Until next time everybody, be safe.

About Our Guest

She has more than 20 years of experience editing and reporting on technology, business, and policy. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. Jill Aitoro previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting, and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.