Dave Bittner (10:02)

And now a word from our sponsor. Spy Cloud identity is the new battle battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust. Making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber from time to time, a piece of reporting cuts through the noise and lays bare not just the breach, but a breakdown, a systemic failure that affects national security, industry, trust, and how we define public private partnership in the digital age. And that is exactly what Tim Stark's recent coverage at cyberscoop has done with a deep dive into Salt Typhoon. We're going to dig into that together today. Tim, welcome. It is always great to have you with us.

Tim Starks (12:40)

Yeah, great. Great to be back and thanks for the kind words.

Dave Bittner (12:44)

Yeah. So let's start off with what prompted you to pursue this story. There's a lot here.

Tim Starks (12:53)

So it was actually there's my story and then there's a second story that my colleague Derek Johnson did. But they both stem from the same idea, which is our editor Greg Otto said that he was flummoxed by the notion that the government officials have been saying we're not sure that Salt Typhoon will ever exit the telecommunications networks that were part of the biggest breach, arguably ever of, of the industry by those Chinese hackers. And so he wanted us to explore how that could be and why that could be. And in starting from that premise, we, we broke it out into me deciding to take a deep dive on what the government did or did not do well, in the ways that might have allowed salt Typhoon to, to get into the systems and what made it, made it hard for them to get rid of them and what, what didn't go well about the government's response in the eyes of the people who were critical of it. And then Derek's piece, I'm sure we're going to talk about less, but I just want to encourage people to read it too, is about what the telecommunications sector did that may have led to this happening and worsened it once it did happen. So that's where it started and this is where we ended.

Dave Bittner (14:08)

Yeah. Well, let's dig into it from the beginning. Your story outlines how is it correct to say that the telecom companies were surprised and disappointed at the way and where the messaging came from on this one?

Tim Starks (14:24)

Certainly a good number of them were. The way we started the story was just to say there were a number of large companies, I said some that first heard about this from an article in the Wall Street Journal. If you're talking about the public private partnership that we've all been talking about for decades and the government has detected this intrusion and the victims don't know about it from the government, they're upset. But then also it was kind of an interesting dynamic where just on the notifications piece, because there are several pieces of this just on the who found out about it when and from whom. There was also the issue of starting off with too little is what some of the complaints were, and then ending up with too much. So one of the things we dive into deeper in the story is about what kind of effort there was to identify victims and how that played out and who was in charge of it. But, but at least one telecom industry source pointed out to me that there was a little bit of a, to use their phrase, puppies piling on phenomenon where after they got notifications that they were victims, they were getting calls from too many agencies and getting too much demands for this and that while they were trying to, to mitigate. So it was this kind of multifaceted before, after, during problem. I do think that to the government's credit, there was at minimum an effort to address this and there was a diligent effort to address this and try to do it differently than they've done it in the past. But that doesn't mean that the outcome satisfied all the players. I mean, even the CIS official I talked to in background pointed out that, yeah, when the Wall Street Journal came out, we heard from industry. They were not happy.

Dave Bittner (16:06)

Well, let's talk about the government response. As you say, you spoke to a number of people in government and granted some of them anonymity so that they could speak more freely. How do they self assess the way that this went down?

Tim Starks (16:22)

Whenever you're talking to people who are, you're writing something critical about them and they potentially can be on the defensive. I think what their assessment was was that we didn't get everything perfect. You know, I talked to someone who was in the government during when the time that this was happening. That person explained a lot of the things that they did to try to respond to this. But the quote that's in the headline is, whatever we did, it wasn't enough because they didn't stop it. So that's a realistic appraisal. That was a former person, a current person said, look, we think we did a good job. The government discovered this early salt typhoon activity and without us, would, would the victims even know that it was there? Fair point. Of course, you know, there's counterpoints to that too, that we can discuss. But, but also ultimately they were, you know, they were of the mind that, you know, hey, this could have been done better. Even though we tried hard, the victim notifications still could have gone better. And then you start to get into people who are in the government now, like, you know, Christine Ohm has been making the point as head of DHS that yes, they did discover this intrusion, but they didn't really know how, how it came to be and what to do about it. And I talked to some people who were critical of that element of it that, okay, yes, cisa, through their threat hunters, discovered this in government networks. Why didn't that sound bigger alarms? Why didn't that cause more activity not just on the victim notification front, but on other things? And then of course, there were the questions of things like the beforehand. Did they, you know, there were vulnerabilities that were known here, but did they target those notifications to the communities that needed them most? Did they directly interact with telecoms? And why didn't they? It's a big complicated story that breaks down some of these things and however much you want to go into what parts of that next, I'm ready to go. But it's a sweeping story about the ways in which all of this unfolded.

Dave Bittner (18:23)

How do you break down who ultimately bears responsibility here? I mean, is it and has there been much finger pointing?

Tim Starks (18:31)

There has been much finger pointing, yeah. One of the cool things about the story. I'm sorry, I feel like I'm almost like talking up the story too much, but I'm going to talk about it. One of the cool things about the story that I have anything to do with was the art that's attached to it, which does have, you know, it's some visible finger pointing. You know, you'll recall that in real time. Ann Neuberger, who was the White House national security official who was lead on cyber, had said these were basic vulnerabilities that could, that were. That the telecommunications sector had or that, or that their supply chain had. And they weren't addressed. Basic hygiene didn't happen. So I think you can definitely point the finger at telecoms here. I think you can point the finger at the government about how they handled it and whether they responded as best they could have, whether they should have done more. Certainly you can blame the hackers. I was talking to somebody about this, these two, these two stories, and someone asked about why wasn't there a third. You gotta have three in a series, right? And I was like, who else would you blame? I'm like, well, the hackers, I mean, they were clever. They, you know, they, they targeted an industry that, you know, you can make the case that some, like some people did in my story that had been getting a little bit neglected because of, you know, this is something even people who were in the government at the time conceded that they were focused on the people who were really desperately in need, the people who were really far behind. And the thought was the telecom sector was further ahead. That. That may have, well have been true. But, you know, the telecom sector has vulnerabilities too. There was a. There was a section of this we kind of left on the cutting room floor which was, you know, size in cyber is both a valuable thing to have and a dangerous thing to have. It's why you see Microsoft constantly attacked. You would think Microsoft, with as much money as they have, that they would be able to address these things, but they have such a gigantic attack surface. And that's one of the things I think we learned here, is that the telecom sector was really vulnerable. And even if you don't play blame the victim, it's really possible to be hacked and to not have any culpability and for it not to be your fault. I think in this case, just in my broader assessment, I think there was fault to be found on all sides. How much individuals want to blame one side more than the other? I'm going to leave to them. But I think that there were real faults that I think our stories outlined that pointed to culpability on the telecom sector side of things and the government side of things.

Dave Bittner (20:56)

And what are you seeing going forward here in terms of both real substantive changes and aspirational change?

Tim Starks (21:05)

Yeah, I think there is the sort of vague things that Kristi Noem has said about how to get SISA back on mission. We haven't heard yet about how she wants to do that. Certainly we've talked about the things that are sidelines that are not really part of what our story was about. But you and I have talked about those things. But in terms of like how do you get SISSA back on mission such that if something like Salt Typhoon might happen again, how do you avoid it happening? We don't have a plan for that yet. We haven't heard that plan yet. On the government side, certainly there have been people who have been advocating for strengthening things like the Cybersecurity Information Sharing Act. We'll see whether that happens at all. But that's another idea that's out there about how that this could have been helped. I think we're going to be hearing more from Congress on that and more from Congress on their investigation. There's a House Homeland Security investigation into what really went wrong with Salt Typhoon. So I think that could produce more ideas. I think we're kind of still at the idea stage, frankly, if you think about this. You know, the public first learned about this back in September, but some of this wasn't really, we didn't really get a real sense of some of the scope of this until closer to like December. And then we had an administration change and you know, there's been some chaos there, to say the least. Above and beyond, I think the usual kind of administration change where you have turnover of personnel and you have turnover of ideas. So I think we're, I think we're behind on that for reasons that are both valid and perhaps questionable. So I think that, I think that we'll see more once some of those cards start to play out on things like Congress, its investigation, what the administration decides to do. I think that there's more to be seen there about. I think like you talked about, it's more at the aspirational phase than the deliberative. This is what we're going to do now.

Dave Bittner (22:49)

Tim Starks is senior reporter at cyberscoop. We will have a link to his in depth reporting on Salt Typhoon in our show notes. Do check it out. It is worth your time. Tim Starks, thanks so much for taking the time for us today.

Tim Starks (23:02)

Thank you, Big Talk. Dave.

Maria Varmazas (23:20)

And for our last story, Victoria's Secret is making headlines this week, and not for reasons you might suspect, not for a new collection. Everybody just settle down. The retailer has taken its US Website offline and paused some in store services after a major cybersecurity breach was discovered over the Memorial Day weekend. Online shoppers were met with a black screen and a brief message confirming the incident as the company scrambles to investigate. With digital sales making up nearly a third of its revenue, this outage isn't just inconvenient, it is quite costly, with shares in the company dropping nearly 7% so far, Victoria's Secret hasn't revealed whether customer data was compromised, fueling plenty of speculation on that front. Experts say that the timing follows a familiar pattern, with cybercriminals often striking when staff coverage is light. Victoria's Secret says its team is working around the clock to restore operations. And as one viral song goes, I know Victoria's Secret well. Now hackers might, too. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher. And I'm Maria Varmazes in for Dave Bittner. Thanks for listening.

Dave Bittner (26:03)

And now a word from our sponsor, Threat Locker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.