BACK STORY With DANA LEWIS
BACK STORY With DANA LEWIS
Cyberwars
On this Back Story the vulnerable West and cyber warfare.
How hackers, some of them foreign intelligence agents, have held companies ransom, shut down pipelines and other critical infrastructure, and influenced elections.
What is the worst case scenario? And did U.S. President Biden's message to Russian President Putin to stop, resonate inside the Kremlin?
Host Dana Lewis interviews Cyber expert Ammar Barghouty, who was a field agent for the FBI on counter terrorism and dealt with computer intrusion threats.
I pointed out to him. We have significant cyber capability and he knows he doesn't know exactly what it is, but it's significant. In fact, they violate these basic norms. We will respond cyber. He knows the cyber war. Number two. I, uh, I think that the last thing he wants now is a cold war.
Speaker 2:Hi everyone. And welcome to another edition of backstory. I'm Dana Lewis. Listen, please share this podcast with your friends. We need to grow and appreciate your support. The Russia us summit in Geneva, us president Joe Biden told Russian president Vladimir Putin that certain critical infrastructure should be off limits to cyber attacks. But analysts said his efforts were unlikely to be more successful than previous attempts to carve out safe zones online. In other words, the Russians are going to keep hacking fighting wasn't explicit in his news conference, but he spoke of 16 kinds of infrastructure and apparent reference to the 16 sectors designated as critical by us Homeland security department, including telecommunications, healthcare, food, and energy. Did Putin get the message? Sure he did. But when it changed anything on this backstory, a former FBI cyber expert walks us through the field of hacking and cyber warfare. Oh. And change your password.
Speaker 3:All right. Amar Barghouti is with the Sioux fan center, which is an independent research and analysis center and he heads up cyber practice and he joins us from Doha Qatar. Hi.
Speaker 4:Hi. So your background is
Speaker 3:Pretty amazing. And so I want to mention it before we talk about all this, if you don't mind, but, um, you worked in the FBI field, um, since 1999, you were a field age agent. You were posted all over the world on counter-terrorism missions. In 2013, you were assigned to the Washington field office of cyber human intelligence, spotting, assessing recruiting of confidential human sources in the cyber arena. And you were also program manager responsible for computer intrusion threats from terror organizations and ran cyber intrusion investigations across several FBI offices. That's really impressive. And I want to ask you to just begin with, I mean, I'm are given everything that we're seeing in pipeline hacking the massive, massive hacking of the U S government systems in December, which was called solar winds. Um, it would seem that we're in a cyber war right now.
Speaker 4:Well, we've, we've, I don't think we've ever not been in a cyber war, but it's just, the intensity is, uh, is definitely gone up.
Speaker 3:We, we seem to be on the losing side of that war because we failed to secure even like, you know, all our critical infrastructure and month by month and increasingly week by week, we seem to be so,
Speaker 4:Yeah, well I think what we seem to be more on the losing, losing side, one of the big reasons is we have the largest, uh, uh, surface area to attack. Uh, we're, we're very connected, uh, country, uh, but, uh, you're right in terms of, uh, the security, uh, if you look at just the colonial pipeline, um, just some basic cyber hygiene, probably would've mitigated a lot of that. Uh, a lot of what happened there, uh, as, as, as it's understood, the attackers came in using a reuse password that was compromised on another site and a colonial pipeline. Wasn't employing what we call multifactor authentication, which is, should really, should be the standard for everything. You know, when you log into your bank and you receive a text message on your phone to continue the login process. Uh, so if somebody stole what you knew your password, they still had to have something that you had, which is your, uh, your, your, your telephone or your token. And that would have probably, uh, prevented even that attack from ever happening cyber
Speaker 3:Hygiene. That's a new one.
Speaker 4:It's, it's, uh, it's used a lot. Now,
Speaker 3:This seems crazy that you get into, you know, if you're a hacker, you can get into major infrastructure by compromising somebody's password. I mean, surely there are more layers to this than, than a password.
Speaker 4:Well, to be quite honest, a lot of what the hacking is. I mean, we look at, you know, if we're looking at the nation state type hacking or stuff that NSA would would, would, would probably do, uh, that involves a lot of technical knowledge and a lot of, uh, really, really strong savvy to do when sometimes it's just easy to get somebody's password, uh, it's way easier. Uh, if you can social engineer it out of somebody with a phone call or a spoofed email, uh, you make them divulge that information. They let you, they open the door for you. And, and, uh, unfortunately that's, that's kind of how a lot of this works because why should I do all the engineering? And if somebody discovers it, they can always patch it when, uh, it's a lot easier to get somebody to open the door for me. And a lot of these hacks actually, uh, are done that way. Uh, ransomware in particular, right now,
Speaker 3:The Russians seem to do this as an industry. I mean, w what would you say about the accuracy of reports, um, that come, not only from the FBI, but the NSA and many others, that first of all, you know, that the election was hacked and that GRU Russian military intelligence was involved in things like solar winds?
Speaker 4:Well, in terms of the actual election hacking, I haven't seen anything where it was kind of a technical, uh, tie packing versus retrieving the emails of, you know, back in 2016 of the DNC and the whatnot that, that, that didn't need a lot of, a lot of savvy to do. That was also social engineering. Um, I believe John Podesta's emails, uh, Hillary Clinton's campaign manager was what was stolen, uh, via spoofed, where email, where he had to, where he tried to verify his Google credentials. Uh, but, uh, in terms of like, uh, you know, Russia and the criminal side of things, uh, especially with the, with the ransomware attacks, which is something that we're really being overwhelmed with right now, uh, and the tolerance of the criminals within Russia. Uh, I've always seen that the line between probably organized crime or even crime in Russia and the Russian state is, is pretty blurry. Uh, and it's not a very solid or, or clearly delineated line. Uh, a lot of
Speaker 3:Times that's great for denial purposes from the Kremlin, because they can say, oh, they're criminals. It wasn't military intelligence, or it wasn't the FSB, et cetera. Absolutely.
Speaker 4:And, and then, and, and, and that's where also using these lower technology techniques comes in, because if you're using something really high level, uh, something, you know, what we'd call, you know, if you're coming in with what we call zero day exploits, basically you find a, uh, a vulnerability in a system that nobody else knows about. Uh, these, you know, we call them zero days and we're, we're, you know, uh, different systems, you know, uh, your antiviruses can't pick them up or anything else like that. You kind of associate those with very high level type, uh, uh, hacker activity, even nation state side. But if you want to kind of deny things, you kind of keep it on the lower level and it works great. Uh, that there's really, again, like I said, there's no reason to, to employ the crown jewels of your, of your technical exploits. When, when somebody could, again, just trick somebody into giving a password or using again and reuse password across different platforms. I can, I can compromise a password on one system. And if I know who the user is, you know, and they work where I am in a place that I'm targeting, I could just reuse that cause a lot of folks do or use it. And again, if we're not using our multifactor authentication, uh, our, our text messages, uh, or, or tokens to come in, uh, you're in the system, this is all
Speaker 3:A form of hybrid warfare as well. You know, and this kind of look surprised, act concern, and deny everything.
Speaker 4:Absolutely. You believe
Speaker 3:Putin denials, uh, that Russia is doing this. I mean, if you watch the summit last week with president Biden, president Putin's news conference dealt extensively with the, the whole area of cyber hacking, and he says more hacks are coming from, from America and places like that then than from Russia. And he, of course, he denied it, came from
Speaker 4:Well, it's, it's kind of funny. Sometimes if you look at a certain kind of maps that show where a lot of cyber attacks are launched, they may appear to be launched in America, but you can make it look like they're launched from America. So I think it's kind of using maybe that is a cover, but, uh, no, I, I absolutely do not believe is denial is one bit, so
Speaker 3:You believe that the security services are doing some of it, not all
Speaker 4:Of it. Uh, I wouldn't say somebody, I, I would say they're looking on and, and maybe, uh, you know, uh, cheering, organizing, uh I've. I have, I have no nothing to base whether they were actually organizing it or not, uh, or that
Speaker 3:That's been the evidence that's been given to Congress. And, and, uh, that some of the organizations of gr you are absolutely involved in the 2016 election, uh, that these, these weren't fringe criminals, I mean, these were intelligent
Speaker 4:Services. They know when we're looking at the 2016 elections, uh, that, uh, I kind of look at that as a separate thing, uh, versus again, a lot of the criminal activity that's going on right now. Uh, and again, polonium pipeline and, and the whatnot, uh, the 2016 elections, no were apps from all the evidence that it truly appears that, uh, it was directed and supported. Uh, the, uh, uh, the, the, the name escapes me, the actual physical location of where, where these folks were housed, uh, was, was all tied back. Uh, I believe to the Russian government, uh,
Speaker 3:Some of them may have been from St. Petersburg and elsewhere, but I think there's,
Speaker 4:Yeah, the internet research center, I believe is what it was called though, uh, was the, was the name of the place. But the, uh, but also that a lot of the information was kind of coming out of there, which it's not necessarily my expertise. I'm, I'm more on the intrusion side and, yeah, but when you were looking
Speaker 3:At intrusion threats from terror organizations, what kind of threats
Speaker 4:On a level I would, I would call the medium, low to low, a lot of the terror organizations. Really, if you take an organization like Al-Qaeda, they, they really distrusted technology. So they, uh, they had one or two very promising folks there that, uh, were kind of shoved to the wayside. Uh, ISIS kind of had a lot more technically savvy Cod Ray, but they employed most of those internally, uh, to search for spies using basically compromising people's phones. Uh, same thing to look at Iraqi, uh, or, or, or coalition, uh, troop movement by tricking soldiers to, to download apps that, that let them, uh, access their location in video and microphone, uh, going on in terms of like attacking the west was very aspirational. Uh, and, uh, they did look at, uh, you know, uh, uh, believe like a water system at one point, but, uh, they, they kind of lock the, uh, uh, the, uh, the, I'm going to say the, the expertise on one side. Like even if they got into the water system, they don't have the engineer who knows, okay, which house do you turn now to make this thing go bad, that they didn't have that expertise. And a lot of the really aspiring, aspiring, uh, as I want to call them, uh, uh, uh, thought leaders, uh, were generally were killed before they ever had a good chance of getting somewhere. Uh, others in terms of doing intrusions were, uh, were mostly, uh, sympathizers, indirectly tied to folks like, like ISIS. Uh, they tried a lot, uh, they made a lot of mistakes and a lot of them were caught by Jim, a lot of good international cooperation between the United States in front of the governments. I mean,
Speaker 3:I asked the question because if we're vulnerable to criminals, which we surely are, um, are we not vulnerable to something more than just ransomware we're vulnerable, possibly to terrorists?
Speaker 4:Uh, it's, it's definitely a possibility, uh, right now, currently I think that the threat isn't as high as it used to be. Uh, there was a lot of, uh, attrition that happened in terms of the, the technically savvy, uh, ranks that were, that would even thought about doing these, these types of operations. But when we look at ransomware, here's something that, uh, I've always said, it's kind of, uh, uh, it's been my fear, that terrorists kind of use techniques that are a few years old, but now with ransomware is kind of getting there. Uh, what happens when, uh, a designated terrorist organization, uh, takes down a city system and demands money, and then now the city would become, uh, you know, funding terrorism, if they pay the ransom or they lose all their files. That's kind of an interesting conundrum at that point.
Speaker 3:I mean, the, the cyber winds attack was 18,000. I mean, I've had to, you know, I read that number again and again, 18,000 organizations, including the us treasury.
Speaker 4:Yes. Yeah. Uh, that was definitely closer to the nation state level type of a attack. And, uh,
Speaker 3:How do we stop it? And don't tell me to change my password.
Speaker 4:Well, it's going back to the cyber hygiene. So, uh, we, the, the, uh, the issue with cyber winds was, was they, they had their updates placed, uh, in a location that was compromised. And then the, uh, the adversaries were able to slip their own software in lieu of the updates. And as people updated their systems, they were bringing in, uh, you know, the bad code, so to speak, uh, there's ways, uh, absolute ways to do it. And again, it's, it's, it's all just really good habits that need to be developed, especially on things that are sensitive when cyber wins, for instance, would put up their, uh, their, their updates. They need to also include, and I believe they might have a, what we call a hash value. So when I download the update, I will check the hash value of the software that I have against the hash value that cyber wind says, this is what it's supposed to be. And if they don't match, that means somebody kind of tinkered with the software. Uh, it takes a little bit of extra time and some people, and I've been at myself, I've downloaded stuff just for my own personal use, where the, where the website would have a hash value. And I've, I've been lazy. I just haven't checked what I downloaded versus the hash value that was there, but I'm not that important with the things that I'm that I was doing. So
Speaker 3:It occurs to me that what we're dealing with in American society and a lot of Western societies are probably traditionally what would say in Russia would be government organizations long ago have been privatized, and you're trying to preach security to civilian organizations and hoping that they can.
Speaker 4:Yes. And a lot of them don't see. And it's unfortunate because you know, a lot of the organizations, businesses, you know, they're primarily looking at the bottom line and, and the business processes. And when, if you ask them to do things, they don't see the return on the investment. It's like buying insurance. You didn't, you'd really don't see it until you need it, and you hope you never need it, but a business might see that kind of as an expense. Uh, for example, one big nation state, uh, the, uh, attack was the, uh, was the WannaCry, uh, attack back in 2017. And that was based on actually the leaked NSA, uh, hacking tools that was re weaponized by, by the United States in the United Kingdom, I believe is North Korea. And that spread like wildfire to over 200,000 systems. Luckily, uh, the, uh, uh, a kill switch was found in it, uh, it was just bad programming, uh, on the north Koreans part, but the sad part is, is no systems should have been infected because it was only effective against unpatched or older systems that should have never been in place. What do you worry
Speaker 3:About when you hear w when you, you know, as this evolves, and it seems like it's becoming, you know, really compressed to the point that look I've covered Russia, America summits for two decades and cyber concerns, overtook nuclear concerns. I mean, there was a much bigger agenda because, you know, nuclear concerns are real, but are they, are they an imminent threat? I mean, the thought is no, uh, but cyber threats are an ongoing imminent threat.
Speaker 4:Yes. And again, we're, we're far more vulnerable because of our attack surface, uh, with nuclear threats, we had mutually assured destruction with cyber. Now we'll, we'll be way more, we'll have way more damage than, than the adversaries will ever have.
Speaker 3:And why is that? Just because we have more things online, most of our industry is online and modernized.
Speaker 4:Yes. Uh, industry banking, uh, everything. I mean, just everything is, is, is getting to be online. And we just have just far more far more to, uh, to hit, or what is your nightmare scenario? Well, obviously, you know, the power going down for three months, that would be my biggest, you know, or, or longer just the, the chaos and anarchy that would happen from that. Uh, again, um, and I would,
Speaker 3:I would say that's a good Tom Clancy chapter, but not very realistic, but now after the pipeline was hijacked on the, on the Eastern seaboard of the United States, it's a very real possibility. And suddenly, you know, it dawns on all of us that this is not some kind of abstract exercise that they play within an FBI headquarters or the NSA or the Pentagon. This is real
Speaker 4:Stuff. Yeah. I mean, I'm with the pipeline, luckily that there were work arounds, uh, to, uh, to get the fuel, you know, you can use trucking, you can do all that kind of stuff, but if your generation capacity is blown up, you can't go to generators are us and just order one and get it within a week. It's, it's, it takes, it takes a year or so to, to bring those things online. And if you have a whole bunch of them go down, it could hurt in the summit.
Speaker 3:Uh, in Switzerland, in Geneva, president Biden gave president Putin a list of sensitive no-go areas for hacking, um, even though the criminal denied that they do hacking, but the, you know, I think there's 18 of them are. Um, do you think that Putin found that amusing or what was the mentioned by Biden of, you know, imagine if your oil pipelines went down, which seemed to be a pretty muscular threat to me, do you think that that is enough to dissuade the Kremlin in the future personally? Uh, I think
Speaker 4:Maybe I think maybe it may give some pause, uh, because generally the United States doesn't advertise what it can do, uh, from what I've seen is we kind of hold back, uh, the, uh, the, the, the really good stuff and for the time and place to use it, so to speak, uh, I can't talk about things obviously that, uh, that I may have come across, uh, within the intelligence community in that regards. But, uh, when president Biden did say that, uh, I was, uh, I did have a small smile on my face, their capability
Speaker 3:To fight back. And do you need to do that in cyber
Speaker 4:Warfare? Um, directly? I, I, I would not know. Uh, I would hope so. Uh, but same thing if I, if I did, I, uh, I probably wouldn't be allowed to talk about it.
Speaker 3:All right. I'll let you, I'll let you Dodge that one. Is it time for a sea change in how we run infrastructure companies hold data and how we protect ourselves. And, and again, you know, it has to be more than a password.
Speaker 4:Well, it's, on-site, I think we probably need to regulate some cybersecurity and the things actually put some penalties in there. Uh, there, there are there best practices that are, that are out there. Uh, the DHS puts out, uh, great publications under what we call, uh, you know, NIST. Uh, there are absolute best practices out there. And I think we need to probably, uh, kind of put some regulations in there where companies could probably face some, uh, some liability for just ignoring things, uh, again, to kind of say, Hey, you know, you run this, you, you have to have a, B, C, and D. Some of it is
Speaker 3:So you're providing critical infrastructure or you're part of that critical infrastructure puzzle in Western society. That that's really interesting that you, you would say government would say to them, look, if you don't safeguard that responsibility, if you're found to be negligent in not putting up proper barriers to whoever wants to hold you ransom, you could potentially be financially.
Speaker 4:Yeah. Uh, what I mentioned with CIS center for internet security has had beautiful, like wonderful numerated controls. Like they say, here, here's your top five controls, uh, have a way to put that in where, Hey, you know, what, if you've done due diligence show that you've done due diligence that you've actually put these, uh, you know, these top recommendations in, uh, that would indemnify you from future liability, whether, you know, either government fines, or even shareholders being able to, uh, to Sue you for, uh, for just kind of ignoring these things. Uh, I would like to see maybe a little bit more of that, because that way you can push the boards, you can push, uh, the, the leadership, uh, within a lot of these companies to say, Hey, we know what we need to do this, have it on their annual reports, uh, the, uh, their annual accounting reports, uh, the, uh, the annual reports where, uh, here's, uh, you know, for cyber, you know, having to have something down there, it's kind of telling shareholders, what are we doing for, uh, in terms of cybersecurity? What standards are we meeting? Uh, is it audit it, same thing. Part of the audit, somebody can audit that, uh, that would put some teeth into things versus this whole, Hey, you know, you should do this or else, you know, just in case
Speaker 3:And on the table with companies now,
Speaker 4:Not okay. Should
Speaker 3:I know you were a field agent in the FBI, so I don't get a chance to talk to field agents very often, but former field agents, but you've seen what happened in the Capitol and the FBI. You know, there's been a lot of testimony and a lot of evidence from the FBI now saying, well, they didn't know about some threats online. Um, but the criticism has been that they, they didn't really flag the intelligence. Some of it was raw, um, you know, no phone call to law enforcement. Some of it was passed along, but probably not as a priority and not as an alarm, knowing what you know about terrorism around the world and understanding now the threat from domestic terrorism in the U S are you disappointed with the way the FBI, some of that information or pass some of it on?
Speaker 4:Um, honestly I know, uh, how their hands were tied based on the laws, the international terrorism laws that we have on the books are extremely strong and solid domestic terrorism doesn't face any of that, uh, because of a lot of the issues with first amendment and, and, and the whatnot. And I know, like for instance, the FBI agents association has been pushing really hard, uh, in the last few years for stronger domestic terrorism laws that allow, that would allow the FBI to use a lot more of the tools in the toolbox that they have, uh, that they're able to use against international terrorism. I saw the transition of the FBI. Uh, I was pre nine 11. I was a pre nine 11 agent. Uh, even I was working terrorism pre nine 11. Uh, I was, you know, any M and after the USS Cole bombing and various other things. And then I was on the ground in Saudi Arabia, right after nine 11, uh, pursuing leads there, but I saw the transformation of the bureau, how it really transformed. And, uh, I'm honestly extremely impressed on the international terrorism side, how well the bureau has protected the United States, but there was a lot of tools that are available for the bureau to do that, uh, on the international terrorism side, on the domestic terrorism side, not so much, uh,
Speaker 3:Big problem, right? Because you can't follow the money, you can't, uh, intercept electronic communications very well. You're limited on surveillance. Uh, there, there are so many restrictions unless these groups like the, you know, the three percenters and all of them are, are lumped in, uh, as illegal organizations or terrorist organization.
Speaker 4:Right. And it's very hard to do with the domestic one. And that's all, I think that's all up to Congress right now. And it's been done
Speaker 3:In other countries. I mean, Canada, where I'm from, I know that they have made some of those organizations illegal now. Yeah. Probably
Speaker 4:They're legal. They're no, sorry. I believe that prod boys are illegal now in Canada. Yes. But not in the U S yeah. Uh, eh, we have a lot of, I mean, we have right now currently have a Congress that, that refuses to even investigate the, uh, what happened much less. Can you think how much legislation that they passed to combat it, uh, and the current state of politics. So
Speaker 3:When you sit around with your former colleagues, do you, do you kind of feel, this is really a ticking time bomb? I mean, if, if Congress won't address the threat issue, uh, and now wants to bury some of it and say they were tourists to the Capitol, you know, some of the Republicans, um, we haven't really, we haven't faced this down. So that transition you talked about after nine 11, when the FBI went through, you know, a metamorphosis in terms of dealing with counter terrorism and threats from abroad, uh, they, they need to do that from, with the threat from within
Speaker 4:Absolutely. Uh, any, again, going back, knowing the tools that we have, it, it would probably be very effective against, uh, domestic terrorism. There's no language barrier, there's no cultural barrier. There's, there's nothing, uh, you know, putting undercovers in there is going to be very easy versus, you know, putting undercovers in a, uh, in a suspected cell of folks from, from far away. Uh, it, it would be, uh, I would imagine the FBI with a proper, with the proper laws would be extremely effective. Uh, I mean, going back, uh, correct me if I'm wrong, uh, all the successful, what we would deem international terrorist attacks within the United States that happened after nine 11, really involved either lone wolfs or, or husband-wife team, uh, like San Bernardino or two brothers, like in Boston, things that I can't, I can't get into pillow talk. I can't get into two brothers living together, or some random guy who decides he's going to shoot up a nightclub. Uh, but everything else that involved any type of conspiracy or communication, or, or trying to get people together, the FBI has pretty much been almost a hundred percent affording those. So I have no doubt that the FBI could do extremely well against domestic terrorism. Uh, however the laws need to maybe be tweaked a bit to, uh, assist in that
Speaker 3:Omar. Barghouti great to talk to you from the Sioux fan center. Thank you so much.
Speaker 4:Well, thank you. And I enjoyed it and it was my pleasure. That's
Speaker 2:Our backstory on cyber warfare. The Sioux fan center has an amazing lineup of experts who give great insight on security issues. It's great to be able to talk to Mr. Barghouti. It's one of the reasons I do this podcast to be able to access some incredible thinkers, by the way, a few times a week. Now we put out a newsletter for free, unless you want to comment. And then it's a paid subscriber. Dana Lewis dot sub stack.com. Check it out. Daniel Lewis dot sub stack.com. Thanks for listening to backstory on Dana Lewis. And I'll talk to you against.