As the International Cybersecurity Forum in Lille, France (FIC2020) is about to begin, a few thoughts: Iranians could disrupt U.S. law firms; the Jeff Bezos phone hack is a cyber nightmare; and Cisco’s 5G cyber security ramp-up in Milan

The International Cybersecurity Forum in Lille, France (FIC2020) starts tomorrow. We’ve been scouting the venue, reading press releases, and chatting with attendees who have begun to arrive. It is one of the best organised events we attend. More about Le FIC (with photos) at the end of this post.

The following are a few pre-event thoughts, notes and comments.  

[ Et pour nos lecteurs français, notre analyse après “Le Fic” sera également en français. En raison de contraintes de temps, nous ne sommes pas en mesure de produire cet article en français. ]

 

Catarina Conti
Manager, Media Operations
Project Counsel Media

27 January 2020 (Lille, France) – The International Cybersecurity Forum (“Le FIC”) kicks off tomorrow and runs for 3 days. It gets larger and larger every year … more sessions, more speakers, more exhibitors, more hands-on training workshops, more technical presentations. It has fast become a major European reference event, but it now also has an enormous U.S. cyber security contingent. This year we’ll have over 10,000 visitors, 400+ vendors and partners, 400+ speakers, 4 special plenary sessions for government officials and the intelligence community, with over 120 countries represented.

There really is no better place than FIC2020 to have the opportunity to meet the major players in cyber security and take stock of the tendencies and trends regarding cyber attacks, and especially of the solutions … and lack of solutions … given the problem is critical and we all seem to encounter it every day.

And everything is right in the venue: the presentation areas, theatre rooms, session halls, private meeting areas, food/drink stands and halls … all within a few steps. And if you are press or media, there are designated work areas. There is no need to leave the venue at all. It is one of the best organised events we attend. More about Le FIC (with photos) at the end of this post.

Iranians Could Disrupt U.S. Law Firms

As reported by many legal media outlets, a U.S. congressional hearing last week raised alarms for Washington-area law firms about the risk Iran will target courts and financial institutions for cyberattacks. The House Homeland Security Committee called the hearing as a response to new threats after the January 3rd U.S. military drone strike that killed Iranian Quds Force leader Qassem Soleimeini. The next day, the Homeland Security Department put out a bulletin warning about Iran’s “robust cyber program.” It said that “Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effect against critical infrastructure in the United States” and that “an attack in the homeland may come with little or no warning.” Iran retaliated by launching missiles at U.S. military installations in Iraq.

However, diplomatic officials and lawmakers at the congressional hearing said the Iranian threat is unlikely to have ended with the missile strike. Instead, Iranians are likely to launch cyberattacks that damage the U.S. economy, government operations and infrastructure. Courts and banks would be among the top targets, according to expert witnesses at the hearing. Said U.S. Representative Bennie G. Thompson, a Mississippi Democrat and chairman of the House Homeland Security Committee:

“I am particularly interested in understanding how Iran could use its relatively sophisticated cyber capabilities against state and local governments and critical infrastructure to exact revenge for the death of Soleimeini”.

He accused the Trump administration of failing to develop a plan to protect against the threats after the Soleimeini assassination. And, the experts say, part of the Iranian strategy will clearly be directed at disrupting the 2020 federal election. Representatives from the FBI noted that more than 40 cities were victims of cyberattacks in 2019. In Philadelphia and Atlanta, the attacks temporarily interfered with court record keeping and court databases were hacked.

One expert at the hearing noted that if an Iranian cyberattack strikes law firms or their clients, they might have difficulty seeking reimbursement from their insurance companies. During an insurance industry symposium on cyber security in San Diego earlier this month, Tyler Gerking, a partner at law firm Farella Braun & Martell LLP, said cyber insurers might invoke “hostile-acts clauses” in insurance clauses. A war exclusion clause or hostile acts exclusion is a common provision in insurance policies that excludes compensation for damages arising from warlike acts between nations.

Threat intelligence organizations at the hearing … and in alerts issued to their clients … have recommend that law firms make wider use of encrypted data, two-factor authentication and vetting of employees who could represent a threat of leaked computer information.

A wake-up call for the powerful

Last week we sent out The great Jeff Bezos WhatsApp caper (in a nutshell). If anything, the Bezos hack exposed the glaring vulnerability in our digital world: the ready availability of powerful cyberweapons for anyone with the money to pay — and the ethical willingness to use them. When deeply personal information about one of the world’s most powerful businessmen is exposed through an attack apparently coming from the WhatsApp account of a future head of state, then who can truly feel safe?

It is why I laugh hysterically when I read about “data privacy”. This week’s assertion that Jeff Bezos’s iPhone X was probably hacked by the personal account of Mohammed bin Salman, crown prince of Saudi Arabia, had plenty of shock value. For anyone operating at a senior level of business or government, it is a clear wake-up call.

But there are two other points to make about this hack other than exploitation of digital vulnerability.

The first involves social engineering. Attacks like this play on weaknesses in the human operating system that can’t easily be patched. At senior levels of business and government, ego, opportunity and responsibility jostle to shape how personal networks operate. Trust is a requisite, and electronic channels of communication unavoidable. Even friends spy on each other. Angela Merkel’s phone calls were monitored by the US National Security Agency, according to leaks by Edward Snowden. Why do you think Benjamin Netanyahu himself uses a Nokia 1100? No smart phone for him. Which is why when we travel outside Europe and the U.S. (not that Europe and U.S. telecommunications are super-safe), the laptops stay at home and we use burner phones.

The second significant aspect of the Bezos attack is what it shows about widely used networks and devices. One focus has been on WhatsApp. According to the investigators, the malware appeared to come from an encrypted media server on the Facebook-owned network. This might suggest that encryption itself is the hacker’s friend and that, as Facebook moves its business more towards private messaging over encrypted networks, it will become harder to block such attacks.

But even if encryption makes it harder to identify the precise vector of the attack after the fact, blaming a company for not rooting out malware flowing over its network sets too high a bar. It would be like blaming the road that a burglar took on the way to robbing your house.

And that puts the spotlight squarely on Bezos’ iPhone X — which is exactly what Facebook tried to do last week, when one of its executives suggested that “operating systems” were the real point of weakness.

Apple’s iOS operating system has proved more secure than the smartphone rival Android software, but nothing is bulletproof. For instance, fixes to iOS that Apple released in August 2016, and again in December last year, pointed to the risk in some circumstances of “arbitrary code execution” — in other words, that malware would be able to run automatically on an Apple device, even if the user didn’t click on a suspicious link. The malware planted on Bezos’ phone is thought to have come via a video showcasing Saudi telecommunications, but he may never even have clicked to watch it.

And having just come back from Davis (you can read my report by clicking here), let me throw this out there: the people gathered in Davos have the money to bankroll new operating systems. For example Jeff Bezos iPhone X came out in 2017, and uses a hybrid kernel XNU developed by NeXT in 1996. This kernel was upgraded by Apple for MacOS and later mobile iOS. Yet the hybrid also uses BSD circa 1977; 43 years ago. Android also uses BSD. Thus at heart of many edge devices such as smartphones and devices slated to be 5G connected, operating systems that were developed for private PC networks 40 odd years ago, are now mostly used over the pubic internet. Thus today it’s why we increasingly suffer from computer insecurity (credit card terminal hacks at retailers). When AI is really used by the “bad guys” to discover new OS exploits, who knows what lovely exploits they might come up with.

 

Cisco opens Milan cyber center amid 5G security ramp-up

U.S.-based technology company Cisco said last week it is opening a cybersecurity and privacy center in Milan, Italy as part of efforts to help European governments and industry boost the security of internet networks. Investment comes as EU countries review internet network security policies. The center will be Cisco’s hub to work on issues including supply chain security, security of the Internet of Things, critical infrastructure and 5G technologies.

It will also be Cisco’s regional threat intelligence center hosting researchers of its Talos group that investigates high-profile cyber attacks worldwide, the company said. Cisco’s Talos already has two other regional threat intelligence hubs, in the U.S. and Singapore. From the Cisco press release:

“What our customers are demanding from us is to move from an implicit security model, where we said our security is good, to a much more explicit security model where we demonstrate its qualities and build in transparency. The expectations, not only from customers but also from governments, have changed”.

The move comes as European governments review policies on how to handle cybersecurity and strategic investments in the telecom and internet networks sector. European cybersecurity officials are expected to present a new “toolbox” on 5G security this week or next week. Based on a draft I have seen, it includes a series of measures for national and EU authorities to take to secure 5G networks — including by supporting the European 5G sector through investment, trade and competition rules.

Cisco, which specializes in hardware and software for internet and telecom networks, competes with China’s Huawei and other technology and telecom vendors on certain parts and services for internet networks. The Milan center, located in the city’s science and technology museum, will serve as “a space to meet, for developers, researchers and universities” and to work with industry and government partners to develop secure and private technologies, said Pastora Valero, Cisco’s vice president for government affairs in Europe.

Cisco already has a program with the Italian government since 2016 to work in digital services, education and research. It invested $100 million in the country as part of this scheme.

Cisco’s announcement is the latest in a series of pledges and commitments from telecom equipment makers to invest in research facilities in Europe. Swedish telecom equipment maker Ericsson announced January 20 that it was opening a new research and development center in France. The site will employ 300 people and “focus initially on 5G software development and security, benefitting the global 5G ecosystem and leveraging on our collaboration with French customers.”

Chinese 5G vendor Huawei also poured money into a European cybersecurity center in Brussels, which opened in March 2019, and has floated promises of investment into research facilities to European governments on several occasions. Its smaller, Chinese rival ZTE opened a cybersecurity “lab” in Brussels in July.

 

LE FIC : HOW TO RUN A CONFERENCE THE RIGHT WAY

 

The organizers of Le FIC run their event based on one thing: “the people factor”: keep people engaged, keep them at the event, service all of the players. It is why the event always has a 93% approval rating from attendees: the speakers, the vendors, the partners, and the straight “I-am-just-attending” folks. The following photos are a few snips from the past few years.

A designated area for press/media. It is where we did our first (of three) interviews with Max Schrems.

A separate place for exhibitor staff to eat and relax,
and a VIP areas for vendors willing to pay a bit extra to host a customer for a coffee, chat,
whatever. Located just off the exhibitor hall. With eating/meeting venues throughout the conference area.

A bench at the FIC event. These are scattered throughout the venue. Not shown but behind each bench is a power outlet for recharging your phone, tablet, whatever.

 

Almost every vendor has a basic coffee/water bar and/or food bar with tables to sit
and chat with prospective customers. What is becoming popular: co-working areas

 

Rather than separate the educational sessions and vendor presentation areas, have them circle the exhibit hall (and vendors can pay extra to make sure a theatre is in close proximity to its booth)

 

It looks to be a marvellous event this year. I hope we see you there.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

scroll to top