Episodes

  • Jonathan discusses why enormously complex semiconductor production cannot easily be “nationalized,” but how the industry was never really offshored. What protests in China told us about Chinese citizens’ worries about monitoring and persecution versus censorship. Is iCloud finally going to be secure, and what does that tell us about the encryption policy debate?

  • Jonathan discusses the major evolution to commercial space, the drastic decrease in cost to reach orbit, and how to ensure security as companies scale up with automation to manage proliferated low-Earth orbit.

  • Missing episodes?

    Click here to refresh the feed.

  • Jonathan argues that there is no cyber war; there's just war. Russia and Ukraine aren’t failing at cyber war, they are just using their capabilities in a way that we did not expect. Why did we make the mistake of assuming their capabilities would resemble ours? Also, how cyber will always be somewhat ungovernable, and how the implications of cyber defenses and other technologies may not be fully apparent for years after deployment.


  • Jonathan talks about the Pipedream attack and the implications of hacking industrial control networks. Can VPNs increase vulnerabilities, and how vulnerable are industrial control networks generally? Christian and Jonathan discuss.


    Christian Whiton (00:09):
    Welcome to Cyber Context, the podcast featuring Jonathan Moore, the Chief Technology Officer of SpiderOak. Jonathan, the Ukraine war is going on and revealing more and more about our cyber capabilities and cyber defenses and Russian and other bad actors and their cyber capabilities against us. It seems in the past week, the US government has become concerned. It appears to have gotten the upper hand on this one incident, but something called Pipedream, which I gather was a compromise that was directed at LNG. So natural gas facilities here in the United States.

    Christian Whiton (00:48):
    So not a 100% sure it came from Russia, whether it was the Russian government or other actors, but probably knowing what's going on in the world and with the target being gas that's kind of interesting. Of course, that's the one thing Europe seems still to have to buy from Russia if they want to keep the lights on the price has gone up. Maybe Russia wants it to go higher. Still, maybe Russia doesn't like the idea of Europeans buying our natural gas instead of getting it from there or getting it from Cutter. What does this tell us? This is sort of an interesting and different attack targeting critical energy infrastructure?

    Jonathan Moore (01:26):
    Yeah. Well, I think if I recall correctly, this has been attributed to Sandworm, which is the same threat actor that attacked the Ukraine power system in the past. Shutting power off to Kyiv in two different events and I mean, the Pipedream is a tool kit piece of malware. So it's a piece of software or collection of software and tools used to cause temporary or permanent loss of capability in these industrial control systems. So, I think it's interesting and there's several interesting things about it. So one I want to think that it's, I think we have a good belief that this is a real incident and not just sort of propaganda and trying to show yet again, we've got the better of Russia either through intelligence or having better capabilities it's actually been commented on.

    Jonathan Moore (02:28):
    And apparently the original research and reverse engineering was done by Dragos who's really the premier security company in these industrial control systems in the US. So, it is really interesting. And it does show if this was something that Russia meant to use that they were trying to escalate and bring some of the conflict directly back to us domestically, which I think it would be an interesting shift if we saw it stop. We've heard the government warning us for months now that, "Hey, Russia's coming and we haven't seen them yet." So if it is an attack that we thwarted that they meant to follow through on that is really interesting. And I wonder, what else we are defending against successfully? I think I'm super interested too, whether this was a detection that we caught early and stopped them by hard work and luck, or whether this is tipped off by espionage. Since apparently we've got some great espionage capabilities in Russia, as we've repeatedly called out what their plans of the next week were to their frustration. So, it is a very interesting event.

    Christian Whiton (03:47):
    Yeah. I'd like to talk more about the vulnerability of these industrial control networks, but maybe before we get there, another recent attack on US energy related infrastructure of course, was Colonial Pipeline. It sounds like this potentially was much more sophisticated because it wasn't Colonial Pipeline. I mean, didn't that come down to a password that one of their senior officers said was really complicated, but nonetheless was discovered and it was an attack on a billing system. Am I right? Is what we're talking about here more sophisticated than that one?

    Jonathan Moore (04:19):
    Well, I think I'm not sure... Sophisticated may or may not be the right language to use, but I think that the right way to think about it is what the goal of the adversary was. So yes, Colonial Pipeline shut down because they couldn't do billing and they didn't want to give away energy for free. But the goal of those adversaries was to shake down Colonial Pipeline. To get money in return where the apparent goal of these adversaries was to shut down capability as a form of attack as a tool of politics and military, not as a way to make more money. So it was not a financially motivated attack it was a politically motivated attack. So that I think is really the big difference to see in terms of framework. I mean, without having these various things in hand and we do not, I do not have this in hand and if there is a report that's available, I haven't read it myself.

    Jonathan Moore (05:19):
    I can't really speak to the actual level of complexity, but if it was targeted industrial control systems generally the goal in those systems is meant to overcome the safety controls in those systems that keeps the plant both available and safe for people in the vicinity. So, all of these kind of systems work in control loops. Where you have some kind of actuator and you need to keep some process within some safety balance. And you have a series of controls that allow you to keep that and you probably have redundant controls. Like you might have a pipe that it's rated up to some pressure and you have some sensor test checking what the pressure is. And if it's a process of the heater, you have some heater control modulating the temperature to keep the pressure safe.

    Jonathan Moore (06:08):
    And maybe you have another pressure release valve. So you have this whole set of systems and you need to keep everything within the safety envelope. And what we've seen that these attempts have been historically is to subvert the safety systems, to allow things to go out of the range of safe, to cause temporary or permanent damage to the facility and lack of capability. So it's meant to deny capability in a political or military context rather than again, to temporarily deny capability as a way to ransom money out of somebody. So I think it's more important than sophistication is the goal of the attack.

    Christian Whiton (06:47):
    Interesting with... I mean, how interconnected are these systems, I guess sort of you think the sum of all fears would be a cyber attack on a nuclear plant where you yank all the control rods out, the reactor is prompts critical, maybe the fuel all melts, maybe the reactor itself explodes. I mean, is that sort of the apex thread and is that unlikely or is that actually within the realm of theoretically possible?

    Jonathan Moore (07:13):
    Well, I mean, I think it really depends. Well, I mean, theoretically possible. I mean, I believe it was in Bhopal India, where there was a large chemical accident that killed thousands of people. And so I think if you want to look at the extreme of what's theoretically possible, those kind of things are possible. Now a well designed system should that should not be possible in. That incident was to multiple failures largely at the administrative level, as well as the personnel level. There were where there were safe, redundant safety systems that had failed and hadn't been maintained. There was instant staffing and all that kind of stuff. So, should a cyber only attack be able to cause that kind of large damage? I hope not in systems, but I got to be clear. I am not an expert in industrial control systems.

    Jonathan Moore (08:07):
    I mean, I've got a little bit of knowledge, maybe just enough to be dangerous, but I don't want anybody to take anything I say as correct. But it's merely as something to inform more research. But so I think the most likely thing we would look at...

  • Jonathan discusses the reported “Pipedream” Russian attack on U.S. natural gas infrastructure and whether it is a significant escalation. How does it compare to the Colonial Pipeline attack and the Stuxnet compromise of an Iranian nuclear facility? How vulnerable are industrial safety controls? Jonathan also discusses the difficulty of distinguishing between espionage and military action in cyber and whether VPNs increase or decrease security.

  • Joanthan discusses how Russian cyberwar capabilities are turning out to be different than expected in the Ukraine war, but not nonexistent. Moscow’s reported deployment of wipers indicate that Russia has developed capabilities in a different manner than we have, and that we make a mistake in assuming they would take the same path. Russia may also be holding back on attacking capabilities that it depends upon as much as the Ukrainians. He takes a deeper look at what we know so far.

  • Jonathan discusses how a victim of a North Korean cyber attack shut down that country's internet and whether companies can go on the offensive against cyber threats. He also ponders whether most “hacktivists” are in fact working for governments. Does the disablement of a Mazda via an image file from a HD radio station open up a new attack vector not previously considered? The FCC is pressing manufacturers and operators to harden satellites against cyber attack, but will this happen without the right incentives in place?

  • Jonathan discusses whether adding more computers and network connection to a car increase vulnerabilities. What are the comparative risks of that data cars receive, from radio packets to video to LiDAR? Furthermore, do we need new regulations on collecting data in public given the amount of information these cars will collect store?

  • Have we seen the full extent of Russia’s cyber war capabilities, or are they this underwhelming? And will the technology world be torn into two or more camps with so many countries and companies ceasing business with Russia? Jonathan Moore (CTO of SpiderOak) is joined by special guest Matt Erickson (VP Solutions of SpiderOak) to discuss cyber attacks so far in the war, including capabilities not exercised, and what the new wold of software and systems might develop.

  • SpiderOak CTO Jonathan Moore discusses the ins and outs of social engineering, and how it can defeat even second-factor authentication in some instances. How secure is 2FA and what are the alternatives? Jonathan also discusses whether crypto is secure, and whether you should be thinking about physicalizing your security problem.

  • We may think about cyber warfare very differently than China or Russia. Are we making a mistake conceptualizing it as a space in which we can maneuver, and thinking of exploits as digital bullets? Jonathan argues it may make sense to think of cyber warfare in more tactical terms, and questions whether a true strategic shock like the surprise attack on Pearl Harbor is likely in cyber.

  • The​ ​Log4j​ ​vulnerability​ ​has​ ​a​ ​theoretical​ ​reach​ ​into​ ​anything​ ​made​ ​with​ ​Java.​ ​Are​ ​there​ ​other​ ​old​ ​but​ ​reliable​ ​tools​ ​in​ ​software​ ​design​ ​that​ ​hold​ ​hidden​ ​risk?​ ​And​ ​will​ ​patches​ ​work​ ​if​ ​they​ ​threaten​ ​software​ ​functionality?​ ​How​ ​the​ ​Log4j​ ​vulnerability​ ​was​ ​identified​ ​and​ ​whether​ ​we​ ​can​ ​count​ ​on​ ​this​ ​defense​ ​in​ ​the​ ​future.​ ​

  • Should we be worried that the most advanced integrated circuits come from Taiwan, one of the most threatened places in the world? Jonathan outlines photolithography and other techniques that define the world’s most sophisticated chips, and where cyber-attackers would focus their malevolent efforts on hardware. Christian asks whether quantum computing will be real anytime soon.


  • Jonathan discusses the risk to low-Earth orbit from Russia’s successful test of an anti-satellite weapon, and whether the kinetic threat is a big as the cyber one. Are non-attributable attacks in space the ones we really have to worry about?