COLORADO SPRINGS, Colo.–When cybersecurity is discussed, metaphors such as “battlefield” and “war” are often used, and one expert who has high-level experience in both cyber-threats and credit unions says the references are appropriate, especially when it comes to the attacks taking place on financial institutions often have their basis in nations in battles with each other.
Lt. Gen. (Ret.) Bradford J. “B.J.” Shwedo, the former director for command, control, communications and computers/Cyber and CIO with the Pentagon, and who also is SVP-special programs with PenFed Credit Union in Virginia, reviewed numerous threats to credit unions during remarks at the Defense Credit Union Council meeting.
He said many of those threats be traced to the battlefield, especially from hostile nations such as Russia, China, North Korea and Iran.
“The cyberwar is going on, you just haven’t seen a lot of it,” said Shwedo. “You could become a focus of it, and I want you to learn the lessons that have been learned on the battlefield. It’s not unique for bad guys to use tools from warfare in cyber efforts.”
Why Defense CUs are Targeted
In particular, defense-related credit unions are being targeted, he said.
“If the home front can’t pay their bills and (soliders) are worried about rent and food and other things, they aren’t worried about fighting (the enemy),” Shwedo explained. “Why go after government? To sew fear. You can’t keep up a website?”
He said Ukraine has become a particular training ground, especially for malware targeting infrastructure.
“We started training the Ukrainians in how to do cyber defense,” Shwedo said. “The U.S. cyber command has a concept called Defend Forward. We get a lot out of it. We send our cyber-teams and co-locate with the host country. A lot of times bad guy will not use all their tools when inside the United States. Defend Forward can take and steal the bad guys’ malware and patch our software. We also take down their tactics, techniques and procedures, which allows us to have warnings when we start to see those things.”
In a quick-moving presentation, Shwedo covered a variety of subjects, including:
Zero-Day Threats
“Zero day is a backdoor that no one knows about until zero day, unless you steal zero day before zero day, and then you patch it,” he said.
A Problem in U.S.
“One of the problems is the majority of our critical infrastructure is privately held,” Shwedo said. “And, quite honestly, there are some (private infrastructure owners) that do not want the government involved in cyber defenses.”
Striking a little fear in his audience, Shwedo asked if anyone in the audience knows who oversees security around pipelines in the U.S. The answer: the TSA.
“They have very few people for 2.7 million miles of pipe,” said Shwedo. “So, there is lots of work to be done to secure our infrastructure.”
Resources Available
Throughout his remarks Shwedo on several occasions pointed his audience to Department of Homeland Security for tools, patches, assessments and guides. The Cybersecurity and Infrastructure Security Agency (CISA) also offers a clearinghouse of information at www.cisa.gov.
Still, despite those resources, Shwedo added, “You will be shocked at how many will not install anti-virus protection on infected machines.”
Cyber Insurance
Many credit unions have purchased cyber insurance. But Shwedo said there may be a big loophole in the contracts.
“Lloyds of London and others are starting to use war exclusion clauses, meaning if it’s a state-sponsored attack they will not pay,” he said. “It’s hard to know where the Russian mob stops and the GRU begins.”
PenFed’s Approach
Shwedo said PenFed has a security and intelligence center that constantly monitors warnings from the FBI, NSA, CISA and other government entities for information on the latest in vulnerabilities and the patches that are available.
He cautioned credit unions to be especially mindful of Discord as a source of “second-stage” attacks. Discord is not a permitted PenFed access point for employees and is “blocked at the perimeter,” he said.
Deep Fakes
The sophistication of deep fakes continues to grow, especially voice and video deep fakes that may mimic a credit union’s CEO, for example. In such cases a message that appears to be legitimate may be sent to a lower-ranking employee in which he or she is told they have been given a special assignment and will be asked if they can be “trusted.” That employee will be told to work with certain people only, to make payments, and to use WhatsApp rather than internal communications.
“The bad guy is walking the employee through a counter to your counter-measures,” he said.
He said deep fakes have reached the point where they can even impersonate someone as part of a Zoom or Teams meeting. The bad guys are able to create that impersonation by picking up easily available photos and video from social media, he said, adding they can also use someone’s voicemail message to then re-create their voice.
For that reason, credit unions should use certain code words and have other procedures to verify authenticity, Shwedo added.
Tik Tok
Shwedo warned credit unions about the use of Tik Tok on devices, especially on company/credit union-issued phones. Even if the employee isn’t using Tik Tok, Schwedo said it’s running in the background and can easily provide information to a third party, in this case the Chinese government.
AI
Shwedo noted a lot of the new artificial intelligence tools are free and have been eagerly adopted by more than 100 million users in record time.
“But it can be hacked. Get the CIO and CISO IT involved for solutions,” said Shwedo.
The Cloud & Blockchain
Shwedo said he thinks storing data in the cloud or being cloud-based is a “good idea,” but too many organizations have engaged with “misconfigured” cloud because they just “hand off” responsibility for security. Even when leveraging the cloud, a credit union must take responsibility for security, he said.
Similarly, Shwedo said, “A lot of people believe blockchain was going to be the solve for everything with multiple ledgers. But they scammers are getting smarter.”