Kevin Mandia’s 10 Scariest Statements At FireEye Cyber Defense Summit
FireEye CEO Kevin Mandia dishes on why deepfakes will erode public confidence, why researchers are struggling to find the initial victim of cyberattacks, and why cyber espionage is here to stay.
Navigating Unchartered Territory
Offensive cyber activity continues to escalate at a slow pace as each country attempts to figure out what the boundaries are for tolerable behavior, according to Kevin Mandia, FireEye's CEO and board director.
Mandia told the 2,300 attendees at the FireEye Cyber Defense Summit 2019 in Washington, D.C. that he worries it’ll take something intolerable for nations to come together and put some rules of the road in place around what is or isn’t a permissible cyberattack. The lack of cyber guidelines applies both in their behavior toward other nations as well as in their behavior toward their own citizens.
As a result, Mandia said he’s worried about the lurking creepage toward an intolerable or catastrophic event. Here's a look at what Mandia said to attendees and members of the media about why deepfakes will erode public confidence, why researchers are struggling to find the initial victim of cyberattacks, and why cyber espionage is here to stay.
10. “There’s really no rules. Nobody knows what you can do in cyber when you develop an offensive capability.”
The rules of engagement in cyberspace remain uncertain despite decades of offensive activity in the space, Mandia said. Virtually every nation is learning how to use cyber tools for espionage, but each brings its own culture, laws, perceived enemies, desires and agendas to the table, according to Mandia.
In recent years, Mandia said Russia’s hacking of an election campaign to take and leak documents has ushered in a new era of disinformation campaigns. And in 2017, Mandia said FireEye saw more intruders representing the interest of Iran coming onto the scene.
Thus far, Mandia said there have been a few rules in the playground that no nation has broken when going offensive in cyberspace, but there’s no certainty that’s going to continue.
“Everybody is wondering where’s that boundary of intolerance, where’s that red line in cyberspace,” Mandia said.
9. “There are few risks or repercussions for the folks on offense”
The industry has seen a shift from no risks or repercussions for adversaries to a few as the United States started indicting the hackers involved in unlawful operations, Mandia said. The U.S. indicted threat actors on five separate occasions last year, Mandia said, including the North Korean actors behind the WannaCry ransomware and the Bank of Bangladesh hack.
As a result of the indictments, Mandia said that investigative findings by the FBI and other government agencies are now being made public. Although Mandia isn’t convinced that the indictments have changed the hacker’s behavior, he’s pleased that Western nations are more thoughtfully considering what they can do with the evidence they’ve compiled.
“We can pierce anonymity behind the folks causing harm on the internet and breaking what we think should be the acceptable rules of engagement,” Mandia said. “We may not get to the people who did it, but the world’s being put on notice.”
8. “If you’re hacked and you know it, it’s far more probable you’ll be discussing the intrusion in a public way or a semi-public way.”
If a business has been compromised and knows it, Mandia said it’s certain that someone else knows as well. Organizations often find it frustrating that, during the fog of war, they’re forced by regulation or public attention to start communicating about an intrusion even though it’s far from certain what actually happened, according to Mandia.
When companies are first made aware of suspicious activity, Mandia said they typically don’t know the scope of the incident, it’s definite impact, or even if an intrusion really happened in the first place. But Mandia said the public has often already heard about the potential breach due to a blog post or newspaper article indicating that the company has been compromised.
Documents stolen during an intrusion are increasingly getting leaked or promoted by various Twitter handles, Mandia said. He anticipates that deepfakes will end up getting propagated in cyberspace by the same means as stolen documents.
7. “Technology gets released faster than our ability or will to secure it and understand the ramifications of how it’s being used for malintent.”
A security gap will always exist for the folks looking to cause harm due to the proliferation of new technology with uncertain security ramifications, according to Mandia. And Mandia said it’s extremely difficult to predict what the next great wave of compromise is going to be.
The gap also persists due to the premium people place on having an anonymous internet since a lot of cultures equate anonymity with privacy and see it as a positive, Mandia said. But from a security standpoint, Mandia said anonymity accentuates the capabilities and influence of those who want to cause malice and harm.
As a result, Mandia said enterprises wake up every day and have to attempt to defend their information, applications, and people against adversaries who could be sitting 10,000 miles away. And from a consumer standpoint, Mandia said people are increasingly wondering if they news they receive is genuine, disingenuous, or intentionally placed there to alter their decision-making process.
6. “There’s nothing more convenient than for the Heads of State or Secretaries of State to meet [with one side] knowing the thoughts of the folks they’re negotiating with ahead of time.”
Both economics and security follow geopolitical conditions, Mandia said, meaning that changes in the geopolitical landscape will lead to changes in the cybersecurity landscape as well. As a result, Mandia said the tools used by nations to address ideological differences or tensions with other nations are typically found in cyberspace.
As FireEye responds to breaches, Mandia said the company has seen more targeting of telecommunications, including the content of text messages of certain individuals tied to certain phone numbers.
Cyberattacks reflect policy decisions, and Mandia said nations are all gradually escalating their rules of engagement. Nations can agree over time that certain criminal cyber behaviors won’t be condoned, but Mandia said that cyberespionage is here to stay.
“Every nation is going to conduct espionage for the security of their people,” Mandia said.
5. “I’m convinced that China, Russia, North Korea, Iran, the United States … could masquerade as one another should they choose to do so.
Countries will often be surreptitious when going on offense and operate in a grey area where people are unable to get attribution, Mandia said. But to date, Mandia said that no modern nation has deliberately masqueraded as someone else by copying, mimicking, and using all the infrastructure and tools, techniques and procedures of a different threat group.
Although no government-backed threat group has engaged in a false flag operation, Mandia said it’s not due to a lack of capacity. Both major nation-state actors as well as emerging actors getting into offensive cybersecurity could impersonate one another if they desired to do so, Mandia said.
But Mandia said that nations have stopped short of doing that and have instead chosen to operate in a more ambiguous environment where it’s unclear which nation carried out an attack. Breaking this rule would represent a major escalation, Mandia said.
4. “We’re not finding victim zero as much as we used to.”
Spear phishing used to by far be the most common way to break into an organization, Mandia said, with between two and seven company employees receiving a very well-targeted email. These messages exploit human trust to get someone to open up an attachment or click on a link in an email, according to Mandia.
But based on forensic reports Mandia has read, the threat actors already had valid credentials prior to accessing the target network in roughly half of the intrusions of consequence that FireEye is now dealing with. Hackers could have gained access to these credentials due to third-party compromise or by mining stores of login data of all the different third parties that have been compromised over the next decade.
As a result, Mandia said many of the breaches are now instances of Office 365 where victim zero just got logged into. The compromising of supply chains and the use of credential stuffing by malicious actors that have broken in have made it that much more difficult to find victim zero, according to Mandia.
3. “In a closed society, if we compromised another nation and posted Putin’s email, they [the Russian people] would never see it.”
A massive asymmetry exists between closed societies that are hacking on offense and open societies that rely on the internet for commerce and communications, Mandia said. As a result, Mandia said devising a ‘tit for tat’ response to something like Russia’s hacking of Hillary Clinton campaign manager John Podesta’s emails during the 2016 presidential election becomes extremely difficult to do.
If a foreign adversary goes offensive, gets their hand on someone’s emails, and posts them publicly, Mandia said the hacked emails will be searchable on Google and will be written about by reporters in the United States. But Mandia said the dissemination of personal communications of government officials in a closed society will never be seen by the local population.
Given that digital communications often get stored more permanently than we realize, Mandia said people need to be mindful of the inherent asymmetry between open and closed societies and the potential for continued invasions of privacy.
2. “With the anonymity of the internet, you get stuff that looks and feels real, and no one can tell you otherwise no matter how often they look at it.”
The increased ability to do audio and video deepfakes combined with the anonymity of the internet is an extremely potent combination for people looking to cause malice. And once someone watches a president or head of state saying something in a deepfake video, Mandia said people will never be able to get the image out of their heads, and it’ll influence their psyche in subtle ways going forward.
Our ability to determine the authenticity and genuineness of a WAV file, audio file, and video file will erode over time, Mandia said. And in effective deepfake campaigns, Mandia said the digital evidence won’t be present, meaning that the only way to determine authenticity will be by assessing the trustworthiness of the presumed source.
“Over time, we’ll create an environment with deception, fake information, and information operations can start influencing a large enough minority that you have real dissention in the ideals and trust in governments, people, or leaders,” Mandia said. “I don’t think the world wants to wake up and have to guess if it’s being lied to or not.”
1. “What do I genuinely worry about? It’s that event where we are look at each other and say ‘Wait, I think this is intolerable.’”
Mandia believes that a gentleman’s agreement is currently in place that nations conducting cyberoperations not change or alter data as part of their intrusion effort. Despite having thousands of examples where nations or financial criminals could have corrupted PII data, health care data, or credit scores in a breached organization, Mandia haven’t seen any examples of them actually doing so.
“I don’t think any nation wants to see that start to topple over,” Mandia said. “If one nation does it, do they all start doing it? I hope not. That’s a bad escalation for everybody.”
In addition, Mandia said threat actors hacking out of Iran, China, and Russia have attacked the private sector to steal information, but don’t try to inflict damage beyond that by, for instance, destroying the company’s systems. The only clear example of a nation-state groups deliberately destroying or harming something in the private sector is North Korea’s 2014 hack of Sony Pictures, Mandia said.
“I worry about where things are escalating to in cyberspace, because it’s still going up,” Mandia said. And what’s it going to take to say, ‘let’s bring it down”?”