Interview with Darin Andersen, Chairman/Founder
March 8, 2017
Topic: WikiLeaks releases what it calls CIA trove of cyber-espionage documents
Maureen Cavanagh (host): Joining me is Darin Andersen. He’s a member of California’s Task Force on Cybersecurity, chairman of CyberCalifornia and chairman/founder of a cybersecurity company. Darin, welcome.
Q: The cybersecurity world wasn’t really surprised by the information in this leak, was it?
A: Not really. We’ve seen some WikiLeaks for quite a while now, starting with the Chelsea Manning documents, for example. So it wasn’t too big of a surprise.
Q: You talk about “depth of scrubbing” – that area being somewhat of a revelation in this WikiLeaks stuff. What does “depth of scrubbing” mean?
A: Well, what I mean is, the level at which you scrub depends on the level at which you see a threat occurring. As the threat level goes up, you may dig a little deeper into the data. And I think that’s what may have happened here. It may have triggered these latest dominoes. The CIA is looking more actively and harder than ever – because the threat level for the nation is increased.
Q: Is there anything in this information that indicates that the CIA is using this technology on Americans, here in the U.S.?
A: What you have in this latest set of WikiLeaks is the expose of the CIA’s “cookbook” for how they actually hack into accounts. What they do is they have a series of tactics and techniques that they use to break into different kinds of accounts, be it smart phones – they’ve been able to exploit both Apple and android phones – traditional laptops and servers, as well as some new devices, the “Internet of Things,” what I like to call the “live-ables,” “wear-ables” and “drive-ables.” What’s new about the information is there’s definitely information being gathered on American citizens. How that information is used, foreign and domestic, is what’s in question.
Q: Are there laws that prevent the government from snooping on average U.S. citizens?
A: There are privacy laws that do exist, and historically, Americans have had an expectation of privacy that’s somewhat unique to the Western world. Europe values privacy more strongly. Americans, I would argue, give away our privacy by clicking that checkbook to get the latest application. But in the Far Eastern countries, there’s really not an expectation of privacy. So yes, there are laws that do protect U.S. citizens and our privacy rights. A lot of that comes through the SEC and credit reporting agencies that have to lay out their ability to look into our personal information. And the government has guidelines, as well.
Q: I’ve read that the espionage hacks described in the WikiLeaks dump are things a lot of hackers might be able to do. You wouldn’t need the CIA to come up with it.
A: You know, we’ve seen tactics and techniques that are familiar to us. Don’t forget that we are battling with foreign adversaries, nation-states that are well-funded, extremely motivated to take our intellectual property, steal our national security security secrets and compromise our defense. So the CIA would – and does — rationalize this kind of activity as defensive, or in some cases, an offensive response. Typically, only the U.S. government employs and deploys what I would call “offensive” cybersecurity tactics, which is what’s described in this WikiLeaks “cookbook.”
Q: What’s the difference?
A: Well, typically, we play a lot of defense in this country. I call it the “100 Door Problem.” We’re trying to defend 100 doors, while nation-state adversaries and hacktivists are trying to find that one open door, that one way to exploit and find a way in. The offensive is the opposite of that – where you’re actually looking at your adversaries’ systems that are trying to break into your systems. So you’re playing defense to protect, and playing offense to go on a more aggressive tact.
Q: So far, the CIA has not responded at all to this latest WikiLeaks information. How much credibility does WikiLeaks have in the cybersecurity world?
A: I think it’s a love/hate relationship. Again, they expose tactics and techniques that are pretty familiar to us in the business. We are aware of their capabilities. As you may recall, it was a private company, an Israeli company, that was brought aboard to broke into the iPhone in the San Bernardino massacre. Again, the private world is familiar with many of these tactics and techniques. But I think what’s novel here is that it’s another big display of information to the general public, that the government is watching.
Q: Since ordinary hackers can already breach security on some phones, TVs and computers systems and so forth, what can people do to protect themselves?
A: I like to propose and suggest what I call practicing good cyber hygiene. It’s the simple things of changing your password regularly, don’t share your password to the Internet with your friends. Out-run the person who’s hopefully behind you with the bear behind him. You’re what I call the “hard target” and others are the “soft target.” So if you outfit yourself by keeping your passwords updated, by updating your software to make sure that any security holes are being patched, you’ll have a much better chance that hackers will move on to somebody else who’s more vulnerable.