.png)
Privacy Please
Welcome to "Privacy Please," a podcast for anyone who wants to know more about data privacy and security. Join your hosts Cam and Gabe as they talk to experts, academics, authors, and activists to break down complex privacy topics in a way that's easy to understand.
In today's connected world, our personal information is constantly being collected, analyzed, and sometimes exploited. We believe everyone has a right to understand how their data is being used and what they can do to protect their privacy.
Please subscribe and help us reach more people!
Privacy Please
S6, E248 - Inside the Walls: Military's Stark Warning on Network Compromise
The US military has issued a stark warning to all forces to operate under the assumption that their networks have been compromised by Salt Typhoon, a sophisticated threat actor with ties to the Chinese government. This breach highlights the urgency for organizations to adopt Zero Trust principles as cyber warfare becomes the new battlefield.
• Zero Trust is a framework, not a single product or technology
• The first tenant of Zero Trust is treating networks as already compromised
• Salt Typhoon remained undetected in networks for almost a year
• The threat actor targeted telecommunications, energy, and transportation infrastructure
• Critical national infrastructure remains at high risk from similar focused attacks
• Traditional security approaches focusing solely on perimeter defense are inadequate
• Once compromised, networks may never be fully trusted again
• Verification must occur upon every access request, not just initially
Alrighty then, ladies and gentlemen, welcome back to another episode of Privacy, please. I'm Cameron Ivey, alongside Gabe Gumbs. How you doing, gabe, how we doing.
Speaker 2:I am good, I'm good, we are dead. In the middle of it. It's a couple of weeks before Black Hat and DEF CON, gearing up for that summer festival. Yeah, hacker Summer Camp, hacker Summer Camp when's that? Again, that's coming up um august, august. So black, uh, defcon's august 7th starts at august 7th, but there's a bunch of things going on, right. So you've got b-sides which starts the weekend prior, right, black hat, which I think, kicks off on the 5th. I could be wrong about Black Hat, I don't remember, but DEF CON starts on the 7th.
Speaker 1:I was pretty excited and I haven't been. I don't think I've been to Black Hat one time, but I haven't been to any of those in a couple years now.
Speaker 2:Yeah, something about not going to the desert in the middle of summer. That's okay with me quite frequently, it's okay. It's okay. It's okay to miss one once in a while, Although it's a great time. It's an awesome time. I'm always good to catch up with friends and, you know, make some new ones in the security community. It's always some amazing talks on display. It's always a good time. No complaints, except for the weather. The weather be. The complaint. 120 night is. We're not built for that as humans, quite frankly.
Speaker 1:No, that sounds super uncomfortable.
Speaker 2:Yes.
Speaker 1:I was driving the other day I saw this guy on a scooter with like a black sweater hood, on jeans, walking in the middle of the day almost 100 degrees. I'm just like I don't how, why, what are you? What's?
Speaker 2:happening Across the street. Man Across the street Sounds like a Luigi's scenario, like I wouldn't be worried unless I'm the CEO of a large healthcare company, is it? I don't know, we may have just lost a couple of subscribers on that one.
Speaker 1:No, no, we got this. So, gabe, I'm going to paint a picture for you and for, obviously, the audience, on what we're going to go into talking about today. So imagine you're in charge of defending a fortress. For years, you focused on strengthening the walls, locking the gates and watching the perimeter. Then, one day, a stunning order comes down from the top. Stop worrying about the walls. Assume the enemy is already inside with you. It's pretty powerful. Yeah, there was a stark you pulled me into this about a stark warning that the issue to all US forces to operate under the assumption that their networks have been compromised. Let's dig into this.
Speaker 2:So one of the more interesting things about that statement, of course, is and we've talked about it, I think, on this show more than a few times operating under the assumption of compromise. In fact, right before this, right before we hit the record button, we were talking about the last time I gave a public talk, and it literally just reminds me the title of that talk was the bust out the old deck, and maybe we'll link it to this episode, but it was around the very notion of how we adopt the NIS zero trust principles, because the NIS zero trust principles literally begin with the assumption of compromise, and so, in one breath, they're not saying anything that you shouldn't be doing or they shouldn't have already been doing from an operational standpoint, but what they're actually saying here is no, no, no, no, no. This is not a drill. This is not a drill. Assume that this network is freaking compromised that's a big deal.
Speaker 1:And what were your first thoughts, besides just saying, oh shit, like what, like this is a big deal.
Speaker 2:You can't shut the barn doors is the first thing that came to mind. Like I do not know if you can uncompromise a network. The thing with the assumption of compromise is you should assume that you also can't uncompromise the network. So in one breath it will certainly accelerate the adoption of zero trust within critical infrastructure. So that's a positive. But the thing that worries me there, of course, is well, the networks should just be considered actually compromised.
Speaker 1:Right, okay, so real quickly. Most of our listeners should probably know this, but let's just play the fun role of Gabe. What is zero trust and why is it the recommended solution that it's going to fall into?
Speaker 2:It's a framework. So, first and foremost, it is not something that is purely tangible. It is not any one singular product. So if anyone told you they have a zero trust that you can buy, be wary. We warned you, we warned you, we warned you. It is a framework under which one of the first, not one of, but the first tenant of zero trust is that network should be treated as though they already compromised. And when you do so, it means that you need to do things like validate access upon every request. So not just grant access and then allow access to always be given upon every request for an asset, revalidate access. That's just one of the many things that zero trust encompasses. It is a NIST framework, it is published by NIST I don't remember the number, unfortunately. I guess I'm not that big of a zero trust geek.
Speaker 1:Hey that's all right, that's all right, you don't know everything.
Speaker 2:I could probably quickly look it up but it is a framework, and so a lot of vendors selling different security solutions will kind of operate under this banner that their technology will assist you in doing so. That is a good thing. Quite frankly, it's difficult to achieve zero trust without some help in some of those environments. But again, the warning be there is no silver bullet for zero trust. And it is not just technology, it is also protocols and procedures. Right, there's quite a bit more to it.
Speaker 1:Can you humor me a little bit on this? The sophistication and patience of Salt Typhoon. What exactly is that?
Speaker 2:Salt Typhoon is a threat actor believed to be tied to the Chinese government. That is, the threat actor believed responsible behind this breach of the network.
Speaker 1:Well, they're a well-sourced cyber espionage group with links to the Chinese state. Yeah, their ability to remain in a network for almost a year without detection points to a high level of sophistication and patience.
Speaker 2:Hence the reason I don't know that one can ever trust that network ever again. A year is a long time to bury yourself in.
Speaker 1:Yeah, I mean. Obviously the biggest worry is their focus on stealing data that can be used for future, potentially more damaging attacks on critical national infrastructure. Yeah, yeah, it's not good.
Speaker 2:No, it's not good. It's not good, it's not good at all Not good.
Speaker 1:So what's being done? What do you know that's being done so far? What do you think the this warning?
Speaker 2:being issued. I don't know of anything being done. Well, like, who would handle this? Do you think the this warning being issued? I don't know of anything being that well, like, who, like, who would handle this, you think? Like? That's also a great question, you know. I'm honestly not certain I know the answer to that, but we've got some foods in the intelligence community. We should probably snag on the show to talk about that. Um, I don't know who picks up the ball from there. Really, I could I could throw out all kinds of wild guesses, but they, they might just be that are wild guesses. Yeah, I don't actually know. I know this much, though, that we should all certainly heed that warning and operate under the same tenets though, yeah, which I guess is just a long-winded way of saying hello, everybody, wake up Please. If you haven't already started adopting zero trust, do so. Do so now. Everyone should adopt?
Speaker 1:Yeah, because to that point there's broader implications that go beyond national security and privacy. So beyond military networks, salt typhoon. Also targeted telecommunication yeah, just like at&t, verizon all compromised record like basically been accused of at&t and verizon was accused of recording private conversations of senior US political figures. There you go they. Targeted critical infrastructure like energy and transportation highlights the potential of widespread, so probably stuff like Uber, I would imagine.
Speaker 2:Yeah.
Speaker 1:And Lyft and all those type of. There's so much information on that, so this is really big and it's it's saying that this is also a pattern, gabe, this is not just a one off of that.
Speaker 2:No, not at all, and it will continue to be.
Speaker 1:You know, cyber warfare is the new warfare. Yes, conventional warfare still exists, but it is the new war, yeah. So yeah, this is super interesting, but maybe we'll dig into this a little bit later. If anybody has any questions or knows more about this stuff, we'd love to have you on or just shoot us a message. But yeah, we'll see you guys next week. Gabe, thanks for the chat Right on, right on Next week. It is Sounds good. See you guys.
