ISMG Editors: Russia's War Has Changed the Cyber Landscape
Also: The Impact of Cyber Firm Layoffs; Criminals Offer Bug Bounty Program Anna Delaney (annamadeline) • July 1, 2022In the latest weekly update, four Information Security Media Group editors discuss important cybersecurity issues, including how Russia's cyber and kinetic wars in Ukraine have changed the cybersecurity landscape, what recent layoffs at cybersecurity firms mean for the industry and how cybercriminals are taking a page out of the white hat hacker's playbook.
The editors - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, business; and Tony Morbin, executive news editor, EU - discuss:
- A look at the biggest story of the year so far - the Russia-Ukraine war - and trends to watch in the second half of 2022;
- How threat detection firm IronNet has laid off 17% of its staff 10 months after going public;
- How the ransomware-as-a-service gang LockBit is taking a page out of the white hat hacker's playbook to offer a bug bounty program for researchers willing to aid in cybercriminality.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 3 edition discussing whether we are closing in on a U.S. federal privacy law and the June 24 edition discussing the settlement in the Desjardins Group data breach lawsuit.
Anna Delaney: Hello, this is our weekly edition of the ISMG Editors' Panel. I'm Anna Delaney. I'm joined by three of my colleagues to share their take on the latest cybersecurity stories. They are Tom Field, senior vice president of editorial, Tony Morbin, executive news editor for the EU, and Michael Novinson, managing editor for ISMG business. Great to see you all.
Tom Field: Happy that it's summer.
Delaney: Tom, stunning background. Tell us more.
Field: It's the first weekend of summer. As you recall, last week when we were here, we had just come from our New York cybersecurity summit. And I had nothing but Times Square buildings in the view behind me. I got home on Wednesday. And by Friday, I was seeing this site, which is the lake right out in front of my lake house where I spent the weekend unwinding and enjoying the first weekend of summer 2022.
Delaney: It looks like a painting. Tony, to another piece of art.
Tony Morbin: Going to have to apologize to the Greeks here because it's the Parthenon Marbles. I'm currently at the National Gallery, although there's a lot of moves to get them back to Greece, but they're a lovely sight here. I thought I’d see them while they're still here.
Delaney: Topic of hot debate. But great to see them. And Michael, I love this.
Michael Novinson: It's not bad. This is the Looff Carousel in Pawtucket, Rhode Island. It’s the oldest continuously operating stationary carousel in the United States, since 1895. The price is good. It's 50 cents a ride; children under two ride free. The rides last 10 minutes. It’s fun, if any of you find yourselves in Rhode Island.
Field: Not far from Boston, Anna, when you visit the northeast.
Delaney: I'm still in New York in my head this week. This is the interior of the Met Opera House. It's a feast for the eyes and the ears. Tom, we are midway through 2022. What's the top theme of this year for you?
Field: As we go into the weekend, we are in the second half of 2022. As you look back on the first half of this year, the story of the year has been the Russian invasion of Ukraine for several reasons. One, this is the nation-state-driven cyberwar we have talked about for decades. For a long time, we've talked about what would happen if there was a nation-state hostility, and cyber was a critical component of it. We've seen it now. It involves other nations. I don't want to escalate this to the state of a world war, but you're seeing other nations get involved in addition to other nations' partisan forces. I don't think that we sat back and foresaw ransomware gangs getting involved in this conflict on one side or the other. I don't think we foresaw the power of the hacktivist community to come in and exert their force, or freelance cybersecurity professionals that want to aid Ukraine or lend them their power. I don't think we foresaw that. As we sit here, you can't help but talk about the residual impact of this, and the impact on critical infrastructure, how this affects ransomware, and how it affects cybercrime. Bottom line is, we don't know. As we enter the second half of the year, this becomes one of the overriding stories, still, there's no end in sight. There's no clear victory in the sight. We don't know how these storylines are going to play out. But we do know that they're going to significantly influence the conversations we have, and the decisions we make in the second half of this year.
Delaney: There was a warning at RSA to not get too complacent because you've not experienced a massive cyberattack as a result of the war. I had an interesting conversation with Elvis Chan of the FBI in San Francisco, who was worried about cyber retaliatory attacks on behalf of the Russians, critical infrastructure, election infrastructure, energy sector, transportation and the financial sector. He's concerned about three types of attacks: coordinated ransomware attacks, data wiping attacks and continued spear phishing attacks.
Field: Complacency is an issue. We've talked about this in past conversations. We like a story that begins on Monday and by Friday, you know the end of it. That isn't the case with this one. As we go on, we are likely to have desperation enter the field from Ukraine or Russia. Desperation creates a new sense of urgency, and desperation creates more storylines that will be following. Elvis Chan is spot on.
Morbin: That whole idea of hacktivists getting involved concerns me. You can understand either patriotic Ukrainians, Russians, or idealistic people jumping in to support those that they do support. But we've already seen them: Malaysian hacktivists attacking India for perceived slights in terms of religion. We've seen hacktivists attacking Lithuania, which looks in line with the government policy. You're getting genuine hacktivists jumping into things that used to be the realm of the state, and the state hiding behind hacktivists to do the things that they would have previously been wary of doing. This kind of escalation is my big concern.
Field: Tony, you know where that scares me domestically? We have a polarizing U.S. Supreme Court that is making decisions that is upsetting a good part of the population. What happens if the hacktivists community gets involved? And why wouldn't they? I think this is the world we live in now.
Morbin: Yeah. For hacktivism to become a legitimate means of expression is dangerous. I was about to say something that doesn't apply in America, which is you wouldn't let ordinary people have machine guns. But in the rest of the world, you wouldn't let ordinary people have machine guns. You'd restrict that to the military. You're giving military grade weapons in the form of cyber to the average person.
Delaney: It's going to be interesting. Remember that Russia relies on Western technology, and in six months' time, they're not going to be getting patching and updates. What will that look like in six months' time? We will be in a different situation.
Field: I come back to what I said moments ago, Anna. We don't know.
Delaney: Michael, from one insecure story to another, you've been reporting on more layoffs this week, unfortunately. Tell us more.
Novinson: It's been a rough past 40 days for the industry. We've seen seven companies that have publicly disclosed layoffs that started in late May. We had Lacework, Cybereason, and OneTrust. Since the start of RSA, we've had Deep Instinct, Automox, and Aura. Now, most recently, we've had IronNet announce layoffs. These layoffs have affected anywhere from 10 to 25% of their staff in the case of OneTrust. There are a couple of dynamics which are interesting to watch. The first is that these are not universal. There are specific characteristics we see in the companies that are doing these layoffs. The first several in terms of Cybereason, OneTrust and Lacework were all companies that were expected to IPO either this or next year. There's no opportunity for them to do that. They need to make the cash that they have right now last longer. That's the main reason they're doing it. We've seen some earlier-stage startups. We've seen Deep Instinct and Aura, both of which are unicorns, with valuations in excess of a billion, do layoffs. In 2022, when they get unicorn valuation, it's less clear that they did get that. I saw Automox, which is a mid-to-early stage startup that did a nine-figure funding round last year, but they're a newer company. Most recently, with IronNet, we've seen a publicly traded company do it, at a relatively small one. It’s not universal. People who are losing their jobs are finding that they're getting a lot of offers. I had spoken to an individual who was laid off at Cybereason. He had posted about it on LinkedIn, and in 18 hours, he had been contacted by CrowdStrike, SentinelOne, Sophos, and by a number of security startups. I wanted to speak to him about job opportunities. Anna and I were at RSA. Lacework did the layoffs. Wiz, who was in our studios, was getting a lot of questions about whether they're looking to do something similar. When I was speaking to the folks at Wiz, they were clear that they are continuing to hire. We've spoken to some of the folks who've lost their jobs. Wiz is not thinking about layoffs, even though they are also a venture-backed company. The other thing that's important to look at is who is investing in these companies, when you're talking about the startups, because so much of this is investor-driven. In particular, SoftBank was backing the companies that did these layoffs. So, they've got Cybereason. They led the rounds in 2015, 2017, and 2019. And similarly, they've been involved in funding OneTrust. SoftBank had a lot of challenges. Most notably, they had gotten involved with WeWork, and the people who are financing them have subjected them to a lot more scrutiny. We're seeing that the message they're putting out to their portfolio companies is that they’re not coming to save you, and you need to figure out how to make things work with the money you have. I know a company outside of Israel that did a report on SoftBank and their investments in Israel. They're saying that 20% of the tech layoffs we've seen this year are from companies that are backed by SoftBank. I think that matters. The other thing, which is important to think about is that you saw some non-traditional investors get involved in cybersecurity last year. To call out two examples, in terms of Cybereason: they received north of $200 million of funding from Liberty Strategic Capital. That's a venture capital firm that was created by Steven Mnuchin, the former U.S. Treasury Secretary. This was the first investment they'd ever made in cybersecurity. They went with a big nine-figure investment. But they don't have the type of background in the industry that an inside partner, or KKR, or Thoma Bravo has. Similarly, we saw with Aura that they had Jeffrey Katzenberg, who's the former CEO of DreamWorks.He is on the board, and he was involved with financially backing them. He’s someone who does not have a deep background in cybersecurity. And I think some of the folks who aren't as experienced in this industry are starting to get cold feet. Some people got scared. I was having some conversations at RSA with folks telling me that it wasn't even these companies that wanted to do layoffs, it was their investors telling them that you have to. And I know Alberto Yépez, who we had in our studios at RSA, brought this up too. But it speaks to the value of having people invest in thosewho are familiar with cyber, who are able to do due diligence and scrutiny when they give you the money, and also aren't going to get scared when there's a market downturn, and recognize that there is fundamentally a need for cybersecurity technology. And this isn't discretionary spending. It does speak to the benefit of having experienced investors backing you even if that means you don't get as much money or as high of a valuation.
Delaney: What's the word in the cybersecurity community? How are they responding to these layoffs?
Novinson: For a lot of people, it's a great opportunity to try to hire some folks, as talent is hard to find. And if you're in Wiz or Orca, if you hire folks from Lacework or Cybereason, it'd be interesting. I think those hiring opportunities are good. The other thing to watch is going to be the M&A side. We've been hearing for months that to expect an M&A spree at the end of day. Dave DeWalt was saying at RSA that valuations have come down sharply. There's value to be had right now. Both in terms of public companies, as well as some of these late-stage startups that can't go public anytime soon, are they going to be open to a financial or strategic buyer? We haven't seen too much meaningful M&A activity in the past 60 days. What people are saying is that folks are waiting for this to bottom out, everybody wants to get the best value they can. They want to see things hit bottom first. Upto 50% of the companies went public in late 2021. You have to imagine somebody's going to step in and say, “The fundamentals of these companies are good.” They're category leaders, having stable, and strong double-digit growth. You have to imagine that some of the folks, including large technology firms such as Google, Microsoft, and Amazon are going to step in, and they have a large market caps, even with the downturn, and take a look at some of these public companies or late-stage private companies.
Field: I think you're spot on, Michael. I think that you have to acknowledge the economic conditions, and the economic uncertainty we're looking at right now. As you said, the fundamentals don't change. We still have OT security and software supply chain security issues, and cloud security concerns. The adversaries aren't experiencing a downturn; these issues aren't going to go away. Cybersecurity is an essential.
Novinson: The one thing I would add is for everybody, there's more pressure on the path to profitability. I've heard more about profitability and GAAP net income in the past three months in earnings calls than I did in the previous four years combined. When you look at the cyber sector, the only companies that consistently make money that are publicly traded are Check Point and Fortinet on a GAAP basis. For a lot of these companies, they assume we can lose money forever, as long as we keep gaining share that their assumptions don't have to change. Being able to lose lots of money makes it easy to spend a lot of money in R&D and to hire go-to-market folks. If there's pressure on the startups when they're filing those S-1 to go public to show how they're going to get to profitability. It is going to change how a lot of these companies scale and grow.
Delaney: Tony, the criminals are not stopping anytime soon. Often, we ask interviewees, what can we learn from cybercriminals? But it turns out, they are looking at the defenders as well.
Morbin: It's a two-way street, and even back again from what they're now doing. The LockBit ransomware, as a service group, has announced that as part of its LockBit 3.0 operation, it is going to pay people who find vulnerabilities that they can exploit, and those who find bugs in the software that it uses to encrypt files that might have allowed victims to rescue their data. So, it's looking for both offensive and defensive solutions. It's going to pay bounties for brilliant ideas to improve ransomware operations, and also pay for personally identifiable information on high-profile individuals. Now, they're talking about bug bounties between 1,000 and a million dollars, according to a post on their website. The million dollar prize is that if you can name the affiliate program manager, known as LockBit sup. That's been around for a couple of years, but they've put this million dollar figure on it. Now, in the conventional world, bug bounty programs are intended to incentivize responsible disclosure of vulnerabilities by enticing ethical hackers to submit their findings to the vendor concerned. Now for the company, the benefit of crowdsourcing is reaching a wider pool of hacking expertise who wouldn't have been available in house. The downside has always been the trust issue, because there's often some trepidation about letting outsiders into their networks. So, what does this development tell us about both ransoms and bug bounties? For anybody who hadn't accepted or recognized it, many of the attackers have now reached a level of maturity as businesses that are well-financed, professionally run, and can adopt any of the tools that legitimate businesses use. They are the new organized crime syndicates. Second, the criminals think bug bounties and crowdsourcing are effective ways to improve their operation by tapping expertise outside of the organization. They don't have trust issues with crowdsourcing, partly because criminals have always had zero trust approach to dealing with each other. Whether attackers, in turn, will be trusted by a dodgy researcher looking for an illegal reward for a discovered vulnerability that remains to be seen. The fact is LockBit itself is already a ransomware-as-a-service operation, so that demonstrates how cyber criminals are already buying services from each other. That includes access brokers, those who buy and sell assault stolen data sets, and this gang itself has previously paid for vulnerabilities and bugs in applications, including remote control tools and web applications. What is different this time is that they're inviting everybody to be criminals. As they say, we invite all security researchers, and ethical and unethical hackers on the planet to participate in our bug bounty program. Fortunately, people don't only do things for money, and most people do not want to be criminals. There are legitimate bug bounty programs that will pay ethical hackers. What should we do on the defender side? We need to make it easier for responsible disclosure as a priority and not prosecute those who are delivering bad news. Companies should see if bug bounties and crowdsourcing are appropriate for them, and also solicit good ideas on how to improve their security. Coordinated international law enforcement and government programs should be facilitating crowdsourced defense. Organizations should ensure that we implement a zero trust architecture that enables us to take advantage of any good ideas wherever they come from. Unfortunately, this development means we need to further strengthen the security of our internal supply chain, including who has access to what data and secrets there are, because now everything can be monetized by everybody who has access to your code.
Delaney: Worrying trend. Tom, You recall Attorney Lisa Sotto told us in our recent Proof of Concept, there are more than 60 ransomware groups wreaking havoc at the moment and the demands have gone up. I think there used to be upto $5 million, and now $10 million and upward, and then negotiating less, so it's a worrying trend.
Field: I like the theme of this group. It’s a totally neglected dimension. Let's make ransomware great again. Where have I heard that before?
Morbin: The other interesting thing about LockBit is that with supposed demise of Conti, they are now the biggest ransomware group. And they were responsible for half of ransomware attacks in May this year. So they're trying to take the Conti role.
Delaney: Tom, you mentioned the biggest theme of the year. What are you looking forward to as the next six months unfold?
Field: No question. As we look toward the second half of this year, I think we're going to hear more about OT or operational technology security, in regards to critical infrastructure support, because of the technology issues. We are aware that everything is connected, and because of the cultural issues, and because OT and IT are not connected, that's going to be a significant topic of conversation: software and supply chain security. We've spent the first half of this year talking about Log4j. As recently as about two months ago, 40% of new Log4j downloads were the corrupt version. Log4j is only the one we know about, and we're going to hear more about software, supply chain security, and particularly the ESPON. Cloud security. There's a phrase in talk radio: longtime listener, first-time caller. When it comes to cloud, there are a lot of longtime listeners who are making their first-time cloud strategies. And they're finding out that cloud security is a different animal altogether than on-premises security. I think we'll be hearing a lot more about that. Those are my top three.
Delaney: Can't argue. Michael?
Novinson: Two things for me. The first would be on the business side of the world, the M&A, both the public companies with kind of those $3-$5 billion valuations getting bought, as well as some of these late-stage startups who thought they're going to go public. The other thing to keep an eye on would be this early-stage startup market, and it’s the slowdown. It's starting to affect the early-stage companies and making it hard for companies that have a viable product to get that Series A and Series B funding to bring that to market and to scale. I'm curious how much the financial troubles are going to hurt the next generation of innovation in the industry.
Delaney: For sure. And, Tony?
Morbin: I would echo Tom, in relation to cloud in that the fallout from work-from-home model and, the digitization and the move to working from using cloud hasn't stopped. I was on a roundtable last night, and there were some major banks who still had trepidation about the movement to the cloud resiliency. What would they do if their cloud service provider or SaaS provider were to fall over? That’s an ongoing issue, and hybrid networks will be the way for many of them for some time to come. The ongoing move to the cloud results in potentially new vulnerabilities.
Delaney: A busy six months for us ahead. Thank you so much, Tom, Tony, Michael. Always a pleasure. Thank you very much.
Morbin: Thank you.
Delaney: Thanks so much for watching. Until next time!