ISMG Editors: Assessing the Proposed EU-US Data Flow PlanAlso: ISMG Southeast Summit Highlights; Binance's Response to a Cross-Chain Attack
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including trending themes from this year's ISMG Southeast Summit, plans by cryptocurrency exchange Binance to implement security measures to shore up cross-chain vulnerabilities, and the viability of a newly proposed data flow agreement between the U.S. and Europe.
The panelists - Anna Delaney, director of productions; Tony Morbin, executive news editor, EU; Tom Field, senior vice president of editorial; and Rashmi Ramesh, senior subeditor of ISMG's global news desk - discuss:
- Highlights from ISMG's Southeast Summit, held this week in Atlanta;
- How cryptocurrency exchange Binance restored operations on its BSC Token Hub smart contract last week, hours after a hacker stole BNB Binance chain-native tokens worth $568.6 million;
- How an executive order signed last week by U.S. President Joe Biden that proposes a new legal framework for commercial data transfers between the European Union and the United States has received mixed reactions in the privacy world.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 30 edition discussing whether others will follow the U.S. lead to legislate SBOMs and the Oct. 7 edition discussing the plot to leak U.S. health records to Russia.
Anna Delaney: Hello, I'm Anna Delaney and welcome back to the ISMG Editors' Panel where I'm joined by three of my ISMG colleagues to discuss the latest trends on the cybersecurity landscape. Very pleased to have our SVP of editorial Tom Field; Rashmi Ramesh, senior sub-editor for ISMG's global news desk; and our man in the EU, executive news editor Tony Morbin. Tom, tell us about why you were in Atlanta.
Tom Field: We did have our Southeast Cybersecurity Conference yesterday, it's the first time we've been back in Atlanta for one of our summits, in at least three years, maybe more. Atlanta is always a place I enjoy going because to me, it's got one of the tightest CISO communities that I've seen in the world. These are people that have worked together, they've been colleagues, they've been rivals, but they stay in touch no matter how the names on the business cards might change. But they stay in touch with one another, support one another and are great for networking and for information sharing. Yesterday coincided with the start of baseball playoffs in Atlanta, where the Atlanta Braves are defending their World Series title. We had a little bit of competition for attention yesterday. But the crowd that we attracted both to the event and hybrid internationally, terrific engagement and great focus. I would say some of the highlights of our conversations were a panel on third-party risk, which of course rises to the top of everybody's priorities today. We had good engagement from the folks on the stage as well as questions from the audience. In addition, we had a terrific incident response panel, mainly populated by healthcare executives. It was moderated by a healthcare security executive as well. He was able to get some good input from the panelists and have discussions about what works, what doesn't work where the holes are in incident response plans now. There was a discussion as well, about as much as people did or did not want to talk about, it about thoughts on the conviction last week of former Uber CISO Joe Sullivan, and the repercussions of that. That was a conversation you could find in lots of places yesterday, given this is a week beyond the court decision. The session that I particularly enjoyed, I moderated a panel with four members of the United States Secret Service, and they were talking about business email compromise, which has been a common theme among our summits this year when the Secret Service is visited with us. They updated on the billions that are being lost every year to business email compromise, talked about the tactics especially the automation is being used now by the fraudsters to pull off these schemes. Where organizations typically have gaps in being able to detect and respond, and the criticality of being able to respond quickly to this. Rashmi, this and all the conversations that you have about crypto. Once the money is stolen in a BEC scheme, it's dispersed so quickly to so many different places. If you're not on that immediately, your chances of recovering those funds just go down dramatically. It was interesting on one hand to get this insight from these veteran Secret Service agents, but then to have the conversation that this is not what you thought you were getting into when you joined the Secret Service. 15-20 years ago, when it was all about presidential protection and protecting elected officials. But there's a lot of good expertise there within the Secret Service now. I admire them going out and establishing these partnerships and being present in our discussions. I even had one of the Secret Service agents come to my subsequent lunch roundtable discussion on software supply chain security. He had nothing to offer, but wanted to sit and listen and hear what was on the minds of the executives. Here's a brief overview of Atlanta.
Delaney: It's always great when a member of the Secret Service joins a roundtable. It happened to me at our last summit in the U.S. It was great, because you get that insight, which you can't get otherwise. Wonderful to hear it went so well. Congratulations. I was watching a bit of it online as well. What did the members want to know of our community? What were the sort of questions they were asking? Where was their focus?
Field: When you came over here earlier in the year, and we hosted the event in Chicago, for many people, that was their first live event since COVID. I think we're past that now. People have gotten out, they've been in the community, they've been involved and they're starting to travel a lot more. You're past the novelty of getting together. Now, it's the idea that people do want to be talking with one another. They want more access to the vendors as well, to hear their perspectives on what are the trends that we need to be looking out for? What are some of the new solutions, everyone is faced with the same challenges, they do not have enough people and they do not have the skills that they need. They're dealing with automated attacks with tools that likely aren't automated. They're looking for a way to just enhance that detection and response. These are the things that you're commonly hearing people talk about - managed services, software supply chain security.
Delaney: Similar themes to other cities and countries, whether it's Bangalore, Paris or London, you do hear these similar challenges. Was there anything fresh or unique in terms of solutions that you heard yesterday, to help solve our cybersecurity challenges today?
Field: That's a question I wish I could to answer positively. I didn't hear anything particularly new. It's the same challenges in organizations trying to take some different approaches. These things move slowly. But I think here's one thing, I would say it was a little bit different. Hearing a little bit less about the potential repercussions of Russia in Ukraine. I think there's less concern now about something directly coming out of that, because there's too much else happening.
Delaney: I'm looking forward to join you in Phoenix very soon. Rashmi, another major DeFi bridge has been exploited and Binance's Ethereum compatible blockchain is the target. Do share the latest from the crypto world.
Rashmi Ramesh: Binance runs a blockchain called the Binance Smart Chain. A hacker exploited a vulnerability on the cross-chain bridge that runs on it, which is called the BSC Token Hub, to make about $570 million. It seems pretty run of the mill so far. But here's where it gets interesting. The hacker didn't steal the crypto from the blockchain in the traditional sense. What they did is exploit a bug that allowed them to mint new cryptocurrency. Binance, to its credit, suspended the entire chain so that the attacker couldn't move money off the chain and cash out later. But this took a while because it's not a 100% centralized platform. Binance does not have full control of the blockchain. It's run by nodes called validators who basically have to approve these transactions and Binance has about 26 validators across the world. It took a few hours. But here's how the hack happened. The attacker exploited the flaw, minted two million of the company's native token, which was at the time valued about $570 million. Some experts who analyzed the attack said that the attacker could have walked away with a cool half billion, and then flooded the market with the extra tokens to reduce its value for legitimate users. But there's another twist still. Something did not go as planned. Elliptic, which is a Web3 security company, says that the attacker began to move the currency of the Binance chain, but they moved a majority of it to platforms that are centrally controlled. All Binance had to do was contact this company and ask if their funds be frozen. I'm going to get so many hate mails for that. But Elliptic says that the attacker was eventually able to only get away with 10% of the funds, which is still a lot of free money. Binance did not confirm this, but it did release an emergency patch with a new software version and restored services. Things are back to normal, until the next attack.
Delaney: It's still $100 million in assets, isn't it? That 10%. Binance says it will share the lessons from the incident and implement security measures to shore up cross-chain vulnerabilities, as you've said in your article. Do you get the sense that other exchanges are taking note and doing the same?
Ramesh: I'm sure. DeFi is a very new and niche segment. A lot of it is something that people and companies are still discovering. Because it's grown so incredibly quickly, it's been a little difficult for people and companies to take a step back and see where the flaws are and how to fix it. I know for a fact that a lot of Web3 companies or a lot of Web3 security companies, the DeFi platforms themselves are trying to do the best they can. But cybersecurity is not something that you can master. It's a continuous process.
Delaney: Well said! Would you say Binance responded in an efficient manner? Were you pleased with what you saw?
Ramesh: I wouldn't go as far as saying pleased. But I think it did do a quick job, as quick as a decentralized platform possibly could, contacting the validators and all of that, but we'll see what happened when the company releases its postmortem report, which is expected to come sometime this week.
Delaney: Thank you, Rashmi. Tony, moving on to the EU-U.S. data flow agreement. It's all about the Titanic. U.S. President Joe Biden signed an executive order last week setting up a new legal framework for personal data transfers between the EU and the U.S. This seems to have received a mixed reaction, would you say in the privacy world. Can you talk us through the proposed changes?
Tony Morbin: We're often told about how data is the new oil and flows of data between the U.S. and EU did underpin services worth $264 billion in 2020. The EU estimates that a loss of cross border data flows on exports from data reliance sectors would end up with a reduction in EU gross domestic product of 330 billion euros annually. It's a big deal. But there's a fundamental problem and that the EU and specifically its European privacy advocates, are objecting to the way the U.S. handles the data of non-U.S. citizens. It goes right back to the revelations of NSA contractor, Edward Snowden, that the U.S. was effectively spying on everyone. An Austrian privacy activist Max Schrems successfully brought down the Safe Harbor Agreement, the rules under which data transfers have been conducted since about 2000. A new EU-U.S. data privacy framework - Privacy Shield - took its place, and that had increased protection for data privacy rights of Europeans. But they too were found to be inadequate, and eventually that was thrown out as well. This is by the European Court of Justice. As you say, now the U.S. President Joe Biden has issued an executive order enhancing safeguards for the United States signals intelligence activities. He's also signed a national security memorandum, establishing new safeguards on signals intelligence gathering. He's also creating a tribunal within the Justice Department to deal with redress for complaints, which is intended to resolve any EU-U.S. data transfer issues when people object to the fact that they've been surveilled. Now, a senior administration official said at the launch: "We're confident that this addresses the concerns expressed in the court's opinion, but we can't predict the outcome of any legal challenges that might occur in the future." You can predict, and the first indications from Schrems - the guy who scuppered the two previous agreements - his comment was "at first sight, it seems the core issues were not resolved, and it will be back to the CJEU sooner or later." Now the problem for Europeans is that the U.S. Fourth Amendment enshrines a right to privacy and requires probable cause and judicial approval for any wiretap. But this only applies to U.S. citizens or permanent residents. In Europe, the CJEU - the Court of Justice for the European Union - requires that all surveillance must be targeted, and there must be judicial approval or review under the EU's Charter of Fundamental Rights. Now Schrems' view is that the only difference is that while the EU seeks privacy as a human right, which applies to any human, the Fourth Amendment only applies to U.S. citizens and permanent residents. He says that, in the view of the U.S., Europeans have no privacy rights as U.S. laws allow surveillance that is illegal under the Fourth Amendment, so long as no Americans are targeted. He goes on to say that it seems that the EU and the U.S. agreed to copy the words necessary and proportionate into the executive order. But they didn't have the same agreement on what the legal meaning was going to be. If it did have the same meaning the U.S. would have had to fundamentally limit its mass surveillance systems to comply with EU understanding of what is proportionate surveillance, and intelligence gathering limitations agreed by the U.S., in his view, just don't go far enough. The second issue is who's responsible for redress? A senior administration official said what you'll see with this (tribunal) is a far more independent tribunal with the backing of the Attorney General when it comes to enforcement. Whereas Schrems described the tribunal and the Justice Department as simply not a court, saying the charter has a clear requirement for judicial redress. Not just renaming of some complaints body as a court. That doesn't make it an actual court. A court or this particular tribunal has already said that it will respond to any complaint, effectively no matter what your argument or case by saying the review either did not identify any covered violations of the data protection review court issued and issued a determination requiring appropriate remediation. That's kind of the situation with the U.S. and EU. In contrast, also this month, the U.K. brought into force, an agreement with the U.S. on access to electronic data for the purpose of countering serious crime - the Data Access Agreement. The U.S. government says our agreement will maintain the strong oversight and protections that our citizens enjoy and does not compromise or erode the human rights and freedoms that our nations cherish and share. But the purpose is to allow information and evidence held by service providers in each country relating to prevention, detection, investigation or prosecution of serious crime to be accessed more quickly than ever before. It remains to be seen whether this also will impact U.K.-EU data transfers. We're talking big business, important stuff. It doesn't appear as though we're all working on a level playing field at the moment.
Delaney: That's a very thorough overview, Tony. I'm guessing by your backdrop, we're going to hit an iceberg soon.
Morbin: The EU is wanting to approve Biden's new regulations, and it probably will do, but then that's subject to objection. There will be an objection from Schrems. On the basis that you can see so far, it looks as though that objection will be upheld. We're probably looking at hitting the iceberg in 2023.
Delaney: Long road ahead.
Morbin: While to go, and ultimately, it does have to be resolved because it's just too important. We've got people like Google and Meta saying they're going to have to pull out of Europe if they are not able to get this sorted because it's to do with where they store data. It effectively means you can't be a cloud provider.
Delaney: Yeah. And all the other organizations of course, some of the smaller and medium organizations.
Morbin: They've had interim kind of agreements with country by country contracts of agreement and so on, but it makes everything a lot more complicated.
Delaney: Thank you, Tony. Final question: You have created a new phishing training awareness program. What would you call it?
Field: It is going to be called FPS - For Phish Sake.
Delaney: Rashmi, any thoughts?
Ramesh: I'm going to be very cliche and name it: Don't take the phishing bait, with a fish and a red line crossing is my logo.
Delaney: I love it. You've even got the graphics in place. One step ahead.
Delaney: Tony, no icebergs in this one?
Morbin: No, I am simply going to go for Gotcha because they're going to get you. People will fall for it. My favorite one was the one where the email went out saying we've had a thief stealing things from the fridge in the kitchen.
Delaney: I'm going to call my awareness training Lumpsucker Awareness Training. I'm going quite literal here. Apparently there is a fish called lumpsucker. Lump comes from the round shape and sucker for its ability to suction, rocks and kelp. A bit of deception here; looks cute, names sounds ugly, suitable phishing deception all melded into one. Thank you very much everybody for your creativity and your great insights. I've enjoyed this Tom, Tony and Rashmi. Thank you so much for watching. Until next time.