In this episode, Ian Thornton-Trump, CISO at Cyjax, digests nation state's disinformation campaigns and the cybersecurity landscape. He also discusses the role disinformation on social media plays in cybersecurity.
Cybersecurity is fascinating, not only due to its dynamic nature but also due to how various topics seem to intersect in unusual ways. While the recent trend seems to center around Identity Access Management and Zero Trust, we should not lose sight of other areas. When we think of the evolution of nation-state attackers and nation-state attacks, and we intersect that with the role of disinformation in enterprise information security, these are both topics that interconnect in an unusual way.
I was able to speak with Ian Thornton-Trump about how it seems normal these days to talk about nation-state attackers as part of the cybersecurity landscape. Ian is the CISO of Cyjax, a company that specializes in threat intelligence and incident response. The presence of nation state attackers hasn't always been the norm. His insights made for a captivating conversation.
Tim Erlin: Thanks for speaking with me today, Ian.
Ian Thornton-Trump: Pleasure to be here today, Tim.
TE: When I think of the topic of nation-state attackers, I can’t help but wonder – how did we get here? How did we get to this point where the idea that nation states are actors in the cybersecurity threat landscape is a normal thing?
IT-T: Yeah, it's certainly an interesting question that has a lot of different aspects to it. If we look at it from a high level and more along a strategy, there are a couple of unique aspects that unfold. First, from the countries, organizations, and businesses that are pointing the fingers at each other, there is a sense that they don't want to admit that many of their own citizens are actively engaged in cybercrime activity. What they're trying to position is essentially one of suggesting that other countries are the protagonists as opposed to the fact that they're all criminally complicit and that it doesn't really matter where they're based. It doesn't really matter what ethnicity they are. The viewpoint is that countries are responsible for the conduct of their citizens. So, even though a Russian citizen can be arrested in Eastern Pakistan, he will be labeled a Russian cybercriminal.
That's a simplistic way of understanding what the nation state is really about in terms of its role as a protagonist. The next part of that is, when you look at the attacks that are being conducted today by malicious cyber actors, they're facilitated and in a lot of ways complicit with other organizations that have aided and abetted the attack itself. Despite the fact that you might be able to reasonably point your finger and say, "This Polish attacker was the one that got into the bank’s system," when you get below the surface, you see that the same attacker has compromised other servers in other countries. They've perhaps even rented infrastructure in the victimized country itself. So, we're trying to explain something in very simplistic terms when it's actually very complex.
TE: I don't know if I'd call it a pet peeve or a favorite topic, but I am concerned about how the headlines that are published are effectively a misinformation campaign or a disinformation campaign. I don't think there's malicious intent behind them other than to generate clicks. It's just the idea that it's overly simplistic. For example, the idea that we can't distinguish the difference between an attacker who happens to be of Russian nationality, an attacker who happens to be physically present in Russia, and an attacker who happens to be sponsored by the Russian state is not one that is discussed commonly in the cybersecurity media. You could substitute other countries there, but you get the point.
IT-T: Exactly, and the global police of the internet right now is certainly the United States’ Department of Justice along with its efforts to go after cyber criminals wherever they may be. It's interesting, as it’s a way of claiming that your house is in order. The problem is the disorder and the lack enforcement of governments in other countries. That's the problem.
TE: This makes me think of a potential analogy to content moderation on social media platforms in that their infrastructure supports activity that's either illegal or undesirable. But they absolve themselves of responsibility for dealing with that problem because of the way they have logically designed that infrastructure, which keeps them at arms-length from the conflict. Does that make sense?
IT-T: Absolutely. It's symptomatic of how we built the world's largest, complex machine and how nobody set forth rules and norms of discussion or behavior. And when we have attempted to do that at a nation-state level, it has always been biased towards the citizens of that particular nation to the exclusion of other nations. As an example, Canada tried to order Google to remove search results globally. These are the realities of this thing that we built, and we all jumped on. There are tremendous amounts of commercial opportunities in this space, but there are also major policy problems that the Western nations are faced with. No one is ever going to fully solve the cybercrime problem. What we need to do is to take a risk management approach to it, and we then do the best we can with this.
TE: I want to point out one thing that you've implied here. The evolution of technology and infrastructure that supports the massive global expansion of industry around the internet and connectedness in general also creates the opportunity for nation states to move from occasional cyberattacks to cyberattacks being a part of their overall strategic military plan.
IT-T: A hundred percent. Part of the aggressive cyber-posture and disinformation campaigns from nation states are fundamentally based on targeting each other in order to force one of the world's most powerful nations back to the negotiating table. There is no other opportunity out there for them to engage because all other avenues are basically prevented. For example, when you cut off a nation to the economic system and its ability to interact with other nations, that nation is going to react. They're going to react in the best way they can using all the capabilities that they have. Right now, one of the most powerful capabilities that a small nation can use to raise attention is that internet connection.
TE: It strikes me these aren't new tactics. They're just the same tactics that have shifted with the technology and the changes that have occurred in the world.
IT-T: Absolutely. We're seeing the recycle-reuse approach, and that's gone from nation-state capabilities developed by groups such as APT 28 and then the unfortunate NSA leak of Eternal Blue. All of a sudden, everybody is now armed with potentially strategic weapons that can attack national critical infrastructure.
IT-T: It's interesting, because the mindset that we are faced with, seems to have changed within the last five to ten years. We're not giving ourselves enough time to perform deep analysis. The only way I see us regaining our ability to work through disinformation is by taking a longer view and doing deeper analysis, rather just accepting what people are talking about on social media, either anonymously or through various deliberate campaigns of disinformation.
TE: Yeah. Let's connect to the use of disinformation here. The other trend that we see, especially in political discourse, is the rise of disinformation as a political tool on social media platforms primarily. It is clearly a problem, but how is that problem related to cybersecurity?
TE: That makes sense. It's interesting because one of the things that's changed is the speed at which people receive information. The impact that it has had is that it means people don't necessarily think about their decisions because they get the information so fast. They don't have that built-in delay. As a consequence, people don't think deeply about decisions as much. It's possible that it is what has caused the quick acceptance of the disinformation. But, if I'm a cybersecurity practitioner in an organization, how does the disinformation problem affect me?
IT-T: It's going to make you work a lot harder to gain trust. This is where transparency, openness, and trust has now become the most important marketing and the most important sales tool that you can have, as it takes an awful lot of effort to keep it, and you're one data breach away from losing all of your customers. Unfortunately, a lot of people with a lot of time on their hands are working at emotionally manipulating you into believing their version of the truth as opposed to seeking it out yourself through performing your own analysis and testing your own proof of concepts.
TE: It sounds like what you're saying is that there's a spectrum of disinformation. At one end of that spectrum, we have what we would perceive as blatantly obvious disinformation. At the other end, there's a more insidious type of disinformation where it's not that the information is clearly wrong but that it's more biased towards a particular conclusion.
IT-T: That's true. The other problem we have is that we can experience the same event but perceive it entirely differently, and that is just part of the human condition. The problem that we're faced with by extension of this idea is that when we strongly and passionately believe something is real, we take comfort in it. And what many businesses are looking for today is a surety and comfort. They're not looking for technology. As we move forward, we begin to see that our assumptions about what we had five or 10 years ago that prevented cyberattacks are now proving completely inadequate in terms of defending us. There's some comfort in the nostalgia of the path of the past, but it completely makes it difficult to evolve.
TE: I'm really stuck on this idea of what we're looking for in cybersecurity is comfort and assurance. It's a very technology-heavy field, yet what you describe is a very human characteristic. It reminds me that behind the scenes, we're talking about human beings. We're talking about people who have a job to protect the business, and in order to do their job, they need to feel like they've implemented the right technologies and the right controls to deliver on that. So, the idea of security vendors delivering comfort and assurance is an interesting one.
IT-T: I think it's where we ended up, because what you need as a CISO, an IT manager, or a director is to be able to call up your technical people to get questions to tough answers. And you need to look at cybersecurity challenges as an obstacle course that you've got to train for. Just as you wouldn’t walk across a balance beam without the correct training, you will literally need somebody holding your hands. With technology, a vendor can hold your hands so that they'll be there to help you out if you screw up or slip on something when you're walking across that balance beam. There used to be parodies of the IT security guy just smashing away on his computer for eight hours a day. That mythology was maybe one of the most destructive things to our industry that we've ever seen. This is a team sport, and it's not just a team of technical people. It's your whole business that needs to be on board with security; if you don't get them there, you're just going to fail at it.
TE: Yes, that is an excellent point; security is a team sport. It makes me think that what we're looking at here is the rise of the value of expertise over the technology. That will be a really interesting trend to pay attention to if that's where the field has progressed.
IT-T: Absolutely. I think that's exactly where we are at right now because we moved a lot of stuff to the cloud. I know a lot of organizations who did that rapidly and perhaps put security in the backseat. That's coming back to haunt them. So absolutely, it is a team sport. Let’s bring in people with different experiences, different skills, and different capabilities aligned to the business's objectives. Only then will an organization succeed with security.
TE: I want to thank you for spending the time with me today. This was super interesting.
IT-T: I appreciate that. And thank you very much for having me.