Cybersecurity Advice (for the AV Industry) from Robert Mueller
By Paul Konikowski
On June 24, 2019, former Special Counsel Robert Mueller III testified before the House Judiciary Committee and the House Intelligence Committee about his team’s Report on the Investigation into Russian Interference in the 2016 Presidential Election.
Throughout most of the day, Mueller kept his answers brief and referenced the report. Oftentimes, he refused to answer specific questions or to expand upon his answers. But late in the day, during the Intelligence Committee hearing, Mueller said something during an exchange with U.S. Representative Will Hurd that I believe was very important and crucial advice in preventing future cyberattacks:
“[…] I will tell you, though, that the ability of our intelligence agencies to work together in this arena is perhaps more important […] whatever legislation will encourage us working together — by us, I mean the FBI, CIA, NSA and the rest — it should be pursued aggressively early.”
Mueller continued the exchange with Hurd, and a minute later, Mueller said,
“It wasn’t a single attempt. [They are] doing it as we sit here, and they expect to do it during the next campaign.”
The latter quote was highlighted extensively in the mass media, and unfortunately, it overshadowed the earlier part of the exchange, where Mueller spoke about intelligence agencies needing to work together. This was one of the rare times that Mueller wasn’t just answering a question and/or quoting the report.
How Mueller’s advice on sharing threat intelligence applies to the AV industry
On April 30, 2019, Tenable cybersecurity researcher Jacob Baines wrote a blog posted, “Eight Devices, One Exploit,” which outlined a total of 15 vulnerabilities that his team found in wireless presentation devices. Two of the vulnerabilities discovered, CVE-2019-3929 and CVE-2019-3930, were found in products sold by eight separate audiovisual manufacturers. The eight products all used the same underlying software developed by AWIND, a subsidiary of Barco.
In his blog post, Baines explained that although the eight manufacturers OEM’d the same underlying software, the security patch release dates spanned over two years, for essentially the same vulnerabilities! Why? Because the AV industry is not in the habit of sharing cyberthreat information and cybersecurity intelligence. It literally takes a cybersecurity researcher to expose the cyberthreats in a blog post in order for AV companies to realize they have a common problem.
Of course, government intelligence agencies work under different regulations than private AV companies. But the advice that Mueller gave to Hurd still applies to our industry. AV manufacturers have adopted a “security by obscurity” attitude, which has long been determined to be an ineffective approach. It’s time that manufacturers take a more “open design” approach, allow their designs to be scrutinized and share information about vulnerabilities that have been discovered in their devices, as well as information about about cyberattacks.
Social media giants like Twitter and Facebook are already doing this. When someone attacks one of their platforms, they share the details with each other, and sometimes, with the Department of Homeland Security. The National Vulnerability Database includes security-related software flaws and misconfigurations. There are also non-profit organizations like the Cyber Threat Alliance, which includes companies like Symantec and Cisco (a little company that I think a few rAVe readers might have heard of).
I wrote a blog post back in June where I suggested a three-tiered approach to AV industry cybersecurity governance. The second tier would include alliances between companies that could alert each other when they were attacked or when a vulnerability was discovered.
Since that post was published, Draper Inc. reported that their phones and computer systems were infected with ransomware. Following the updates on their website over the past few weeks, it appears that it took Draper between one and two weeks to get their systems and phones back online. I commend Draper for their public relations following the attack and the temporary phones that they put in place to keep their operations running.
That being said, does anyone outside of Draper know what actually happened? How did they get infected? What ransom was demanded and did they pay it? Were they able to recover all of their data? What lessons did they learn from the attack, and more importantly, what lessons can they teach the rest of us?
Zoom and Logitech also made the AV news headlines in July. Zoom worked with Apple to quickly issue updates. Logitech has released some updates and plans to release another update sometime in August.
The bad news about cybersecurity just keeps coming, and it will continue
The day after the Mueller hearings, the Senate Intelligence committee released their own report on the Russian election interference, confirming that the election systems of all 50 US states were targeted.
As I was finishing up this article, the news of a huge Capital One data breach crossed my television. Early statistics indicate that approximately:
- 100 million people in the United States were affected, plus 6 million in Canada
- 140,000 Social Security numbers have been compromised (less than 1% of users)
- 80,000 linked bank account numbers of secured credit card customers have been leaked
I can understand the reluctance of AV equipment manufacturers and software developers to share the details of cyberattacks and vulnerabilities, but if cyberthreat information is not openly shared between AV industry leaders, we can expect a lot more stories of ransomware, data breaches or zero-day vulnerability exploits to emerge within the audiovisual industry.