The Importance of Critical Thinking

This post is not about COVID-19 or masks. Instead, it’s about simple, back-of-the-envelope fact-checking and, more importantly, about critical thinking and why it’s so important as a way of helping to prevent the spread of misinformation.

An article in the Daily Mail from March 12, 2021 reports that “Face masks are a ‘ticking plastic bomb’: Three MILLION coverings are thrown out every minute and serve as carriers for other toxicants in the environment, experts warn“. The article is based on an analysis from researchers at the University of Southern Denmark and Princeton University.

Three million per minute? Let’s see if that’s possible:

  • There are 1,440 minutes per day (60 minutes per hour x 24 hours per day)
  • Three million masks tossed per minute equals 4.32 billion masks tossed per day (1,440 x 3 million)
  • That equates to 131.4 billion masks per month (to be fair, the researchers estimated the total at 129 billion per month, so we will use that figure)
  • That means that 1.548 trillion masks are disposed of each year (129 billion x 12)

If 1.548 trillion masks are disposed of each year, we can safely assume that about that many are produced each year, since existing stockpiles of masks could not have supplied this many. Could that production figure be accurate? Not really.

If we assume a retail price of just US$0.10 per mask (substantially less than the price of many masks on or in the United States), that means that the worldwide retail value of mask production is US$154.8 billion annually. While estimates of the total annual market value of face mask production differ, one source has the market at US$15.83 billion for 2020, while another source pegs it at US$7.24 billion. If we assume that the annual production volume of 1.548 trillion masks is accurate, that would put the production value per mask at between roughly US$0.005 and US$0.01 each. Production costs that low, even in very large volumes and for the least expensive paper masks, are not realistic.

Another way to determine that the 1.548 trillion annual mask production figure is unlikely to be accurate is to check mask production estimates. For example, China’s total production of face masks in 2020 was estimated to be 10.1 billion units, or about 0.65% of 1.548 trillion. Could it be true that China is producing less than one percent of the world’s total production of face masks each year? Not really, since prior to the pandemic China was producing about one-half of the world’s face masks and ramped up production 12 times once it had started.

I have no doubt that the researchers who concluded that we dispose of 129 billion face masks each month did their research with the best of intentions. But even a cursory analysis like the one discussed above reveals that their estimate is highly suspect. At a minimum, the researchers should have been queried about their research methodology and independent sources consulted to determine if similar findings were available. A failure to do so enables either the spread of misinformation, assuming the researchers are wrong; or it results in information that is difficult to believe for those who do the math, assuming they were right.

Predictions for 2021 in Security and Tech

Winston Churchill once said, “I always avoid prophesying beforehand because it is much better to prophesy after the event has already taken place.” Because Mr. Churchill was a brilliant man and I am far less so, I foolishly cheerfully offer my predictions of what I believe will happen in 2021 in the security and tech spaces:

  • There will be at least two significant cyberattacks against critical infrastructure targets in the United States and/or Europe, most likely against electrical power systems. These will be noisy attacks in that they will disrupt large numbers of customers and may last several days. My guess is these attacks will be in the Northeastern United States and in France.
  • In the same vein, there will be a greater emphasis on attacks against various types of Operational Technology (OT) infrastructure. The growing number of sensors and other Internet-enabled devices can be used effectively for a variety of purposes, including penetrating networks and disabling infrastructure as part of ransomware and other attacks. The work-from-home model that will continue at nearly its current pace well into 2021 will be a key enabler of these attacks. A cheap baby monitor that lives on the same home Wi-Fi network that is used to access corporate databases and email does not make for good security.
  • There will be continued high levels of phishing, but we will see an increased emphasis on business email compromise (BEC) as a proportion of total phishing attacks. In fact, we will see record levels of BEC aimed both at senior executives (e.g., CFOs) and lower level employees in HR and finance departments. a) Good security awareness training, b) skeptical employees, and c) communication backchannels to verify these kinds of requests dramatically reduce the chance of bad actors successfully stealing funds, but not enough companies have sufficient numbers of a, b or c.
  • There will be a significant increase in ransomware, but there will be higher ransom demands than we have seen in the past. Recently, there was a $34 million ransomware demand directed at Foxconn Electronics (the highest ransom demand to date that we can tell) and another against Dutch firm Randstad. I expect to see more and much higher ransom demands in 2021 (one ransom demand of $50+ million). At least one of these high-value demands will be directed at a critical infrastructure system.

  • China will begin military operations against Taiwan no later than July 2021 (and will receive very little pushback from most world leaders for doing so). Of course, this will create significant political repercussions, but also major disruptions in the world economy and in the technology space (for example, Taiwan is Apple’s number one supplier, and Google is currently building its third data center in the country.) Chinese President Xi said in early 2019 that Taiwan “must and will be” reunited with China. In May 2020, Chinese Premier Li Keqiang dropped China’s long-standing use of the word “peaceful” in discussing China’s reunification with Taiwan. In late 2020, the senior director at a think tank that specializes in China-Taiwan affairs noted, “This is the most dangerous, the most unstable, and the most consequential flashpoint on the planet.” And, in recent months, there have been a number of incursions by Chinese military aircraft into Taiwanese airspace.

I’d like to hear your thoughts on these predictions.

What Happens When Security Solutions Don’t Work?

A US county government has a serious security problem and has seen an enormous increase in the number of malware infections during 2020, as shown in the following figure.

As shown in the figure, they implemented a new security solution on April 10th and saw a slight decrease in the number of malware infections. However, a week or so later they saw a big increase in endpoint infections and so deployed another security solution of the same type on May 14th. That didn’t seem to work either, with infections increasing steadily until July, at which point they dropped significantly. However, in late October infections once again started climbing, this time faster than before. So, on November 20th a different type of security solution was implemented. That made no dent in the rate of increase for malware infections, and so five days later the county’s CISO chose to deploy a different security solution, after which malware infections climbed at an even faster rate.

Nothing seems to be working: the current level of malware infection is now about 16 times what it was when the first security solution was implemented back on April 10th. To make matters worse, the security solutions that have been implemented have seriously hampered employee productivity, so much so that economic activity in the county has been seriously impacted.

What should the county government leaders do at this point? Continue to implement one security solution after another, or perhaps try a different approach?

A CISO and security team that had a good handle on dealing with malware infections like this would take a different approach, choose different solution providers, or copy what other governments with the same problem have done in dealing with these types of malware outbreaks. There are some good examples they could follow, but their CISO won’t agree to consider them.

What would you do in this situation?

What if We Dealt With Cybersecurity Like We Deal With Pandemics?

The novel Coronavirus (COVID-19) pandemic has motivated governments around the world to implement a variety of measures, including shuttering “non-essential” businesses, restricting how far individuals are allowed to travel from their homes, limiting or eliminating travel to their countries, imposing curfews, forcing people into quarantine when visiting their jurisdictions, imposing requirements to wear face masks, and so forth.

In almost all cases, the original goal of these measures was to limit the spread of the SARS-CoV-2 virus so that hospitals and other healthcare providers would not be overwhelmed. This so-called “flattening the curve” worked well by dramatically reducing the number of people visiting healthcare facilities so that those who contracted COVID-19 would be able to find treatment. In fact, “flattening the curve” worked so well that governments overshot their goal – tens of thousands of healthcare workers were laid off for lack of work because so many hospitals were operating far below capacity.

What if government took the same approach to cybersecurity in an attempt to stop ransomware, data breaches, credential theft, account takeovers, and other types of security problems? Here’s how it might play out:

  • Your state’s governor, your country’s prime minister, or your government’s CIO would determine who should be classified as an “essential” or “non-essential” user of communication and information services. Those deemed non-essential would be prohibited from sending or receiving email, using the web for any purpose, or using a mobile device.
  • Government would establish which websites, web services, email providers, social media providers, etc. are essential or non-essential and order those in the latter category to be shut down for an indeterminate period. In some jurisdictions, operators that defied these orders and remained open would have their electricity and Internet connectivity cut off. Owners who persisted in their defiance and found other ways to remain in operation could be jailed.
  • No computer or mobile device connected to the Internet could be used between the hours of 8:00pm and 5:00am.
  • Corporate help desks would stop dealing with all user issues except those with a specific type of the newest cyberthreat. Other issues would be dealt with at a later, yet-to-be determined time. The goal would be to prevent security analysts from being overwhelmed with too many requests for help.
  • Government would determine from which states, provinces or countries email could be received. Emails from non-approved countries would be placed into a spam folder or sandbox for two weeks before they could be read.
  • As cybersecurity attacks hopefully lessened, government would permit providers of email and web services to once again start their operations, but with only 25 percent the number of users they had prior to the cybersecurity pandemic. More gracious governments would increase that figure to 50 percent.
  • Long after the cybersecurity pandemic had started and after the worst of the problems had eased, government would require that every user sending or receiving an email, visiting a web site, or posting to social media via the public Internet would be required to send all communication through a client-side, multi-layer filtering solution. Even though there was little or no evidence that the solution would do anything to prevent or limit cyberattacks, it would make citizens and governments feel better because they were “doing something” to prevent the spread of threats. Even so, those not complying with this order could be fined heavily and would be publicly shamed.
  • Any entity that promoted an inexpensive, yet effective, cybersecurity solution instead of the extremely expensive solutions offered by a limited number of government-approved providers would be prevented from discussing their approach to cybersecurity on social media.

No doubt that these measures would work to prevent cyberthreats and make us all safer. Or maybe not.

The Coming Great US Economic Migration

A “great migration” is generally considered to be a migration of people that has an important impact on the course of history. These types of great migrations – often the result of economic drivers – have occurred throughout human history. Over the past 200 years or so, these migrations have included, among many others, the migration of up to two million Irish citizens to other countries (mostly to the United States) as a result of the potato famine between 1845 and 1850, the California Gold Rush from 1848 to 1850 that brought roughly 300,000 fortune-seekers to California (more than tripling the state’s population), and the Dust Bowl that brought up to 400,000 people to California.

In the United States, we will be seeing another economic migration, this time driven in large part by the wide variety of different governments’ responses to the COVID-19 pandemic. For example, the response to the COVID-19 crisis in Kentucky was a stay-at-home order issued on March 26th, while South Dakota never issued one and imposed significantly fewer restrictions on economic activity than most other states. Not coincidentally, South Dakota has had a dramatically lower rate of unemployment through April compared to Kentucky and most other states (and a much lower death rate from COVID-19 as of this writing).

The variety and severity of responses to the COVID-19 crisis are undoubtedly being followed closely by many business decision makers as they make longer term plans for the expansion of their companies – and possibly a move of their companies to states that have responded with less-stringent measures to address the pandemic. And it makes sense for them to do so – if, during the next pandemic, a company will be locked down for four months in their current location or for two months in another, why wouldn’t they include that as a decision point in determining where to expand their operations?

The first major shot across the bow in this regard came from Tesla CEO Elon Musk who tweeted on May 9th, “Tesla will now move its HQ and future programs to Texas/Nevada immediately. If we even retain Fremont manufacturing activity at all, it will be dependen [sic] on how Tesla is treated in the future. Tesla is the last carmaker left in CA.” While that may have been an off-the-cuff response from a CEO who has a reputation for being a bit brash at times, it’s likely indicative of how many business leaders are feeling these days.

That said, it would be inaccurate to believe that the pandemic alone will motivate companies to seek greener economic pastures. The migration of companies to more economically advantageous locations has been happening for some time as business leaders seek lower taxes, less regulation, less unionization, a lower cost of living for their employees, and easier building permitting. For example, JP Morgan is considering moving its headquarters out of New York City, Honeywell moved its headquarters from New Jersey to North Carolina, and General Electric moved out of Connecticut. In just 2016, 1,800 businesses left California for other states.

However, what makes the response to the COVID-19 pandemic a key factor in future migrations is that many of the states that businesses were already considering leaving are those that have imposed some of the most stringent restrictions on business activity in response to the pandemic. California, for example, was the first state to impose a stay-at-home order and it shows little sign of letting up anytime soon: Los Angeles County, with roughly one-quarter of California’s population, will be shut down through at least July. The continuation of strict stay-at-home, shelter-in-place and similar types of orders will likely be important, motivating factors for thousands of businesses large and small to seek locations where the next pandemic may be met with fewer restrictions on their business activity.

In short, the SARS-CoV-2 virus will have important long-term impacts on business activity, and the economic health of different states, long after it has faded into obscurity.

How Will the Current Lockdown End?

Here is my two cents on what I see as the development of the six stages of the COVID-19 lockdown in the United States. (Please note that I am not advocating rebellion against government, just commenting on what I believe will transpire):

  • Stage 1 (through March)
    The vast majority of people readily accept what they’re told despite the economic hardship and inconvenience it causes to them personally. They comply with stay-at-home, shelter-in-place, and similar types of orders.
  • Stage 2 (early April)
    Most people continue to comply, but some will quietly violate stay-at-home and shelter-at-home orders, such as walking on closed trails or taking drives, in an effort to regain some sense of normalcy.
  • Stage 3: (mid-April to early May)
    Many start to consider that maybe some governments have been too draconian and capricious in their lockdown orders, and that models upon which government decision makers have relied have been too aggressive in predicting the number of deaths. They wonder why, like in Michigan, they can still go out to buy lottery tickets, but cannot purchase plants for their garden. We see the first inklings of rebellion as we saw with yesterday’s lockdown protest in Vancouver and Vernon, BC. A few state governments begin to re-open schools and allow previously “non-essential” businesses to reopen, albeit with restrictions.
  • Stage 4: (mid-May to early June)
    A large percentage of people, many small businesses, and some local governments defy lockdown orders in an attempt to return to semi-normalcy. An “underground” economy of previously legal activities like hair styling, residential construction, and nail salons emerges quietly.
  • Stage 5: (mid-June)
    The state and local governments still enforcing lockdowns choose either a) to back off and start to allow things to re-open slowly, or b) they ratchet up enforcement through more aggressive levying of fines and arrests, and in rare cases resort to violence to keep people and small businesses in line.
  • Stage 6: (late summer 2020 through mid-2021)
    Businesses do a post-mortem on how the state and local governments under which they operate reacted to the COVID-19 crisis. Business leaders make decisions about which jurisdictions struck the right balance between safety and the economy and begin to move operations to those locations in preparation for the next, similar crisis.

Obviously, there are lots of unknowns at this point and predictions are often and notoriously wrong. A case in point are the estimates of deaths resulting from COVID-19 published by the Institute for Health Metrics and Evaluation (IHME) at the University of Washington. On April 2nd, IMHE published their best guess of 93,531 death through early August, revised it to 81,766 deaths on April 5th, and revised it again to 60,415 deaths on April 8th. That’s not a slam against IMHE, whose scientists and modelers are no doubt very well-intentioned, but rather an example of the perils that exist in modeling just about anything, particularly in the relatively early stages of a crisis.

Lessons Learned from the COVID-19 Panic-Demic

Here are a few idle thoughts and personal takeaways about the impact of the COVID-19 pandemic and the ensuing panic among the public, in the financial markets, etc.:

  • Supply chains that are built around the concept of enabling sellers to provide products at the lowest possible price don’t weather pandemics very well. Depending so heavily on a single country for manufacturing is clearly susceptible to a Black Swan event like the one in which we’re currently embroiled. As investors are almost always advised to diversify their portfolios, manufacturers should diversify their supply chains to weather disruptive events more effectively.
  • Nation-state actors and cyber terrorists have been provided with an excellent example of how they might be able to severely disrupt life in developed countries, particularly the United States. While COVID-19 is a certainly a serious issue that requires the appropriate level of response, the panic buying of toilet paper, flour, sugar, milk, eggs, cake mixes, baby formula, diapers, cat litter (yes, cat litter!), etc. is clearly an overresponse when food-related supply chains, at least in the United States and many other developed nations, are still largely intact.
  • To the point above, imagine if a nation-state actor or terrorist organization were successful in taking a handful of power plants off-line with the threatening message that more would be taken off-line in the near future. As demonstrated with the COVID-19 panic, there would be a huge run on not only basic necessities, but also on things like batteries, generators, flashlights, and hundreds of other items. It wouldn’t just be grocery stores and Costco stores with thousand-foot lines, but also Home Depot, Lowes and lots of hardware stores.
  • Our residential broadband infrastructure seems to be holding up quite well with the addition of several million home-workers now suddenly added to the traffic burden. While I’m sure there are instances of poor broadband services for residential workers because of the additional load, they seem to be few and far between.
  • One of the positives that may come out of this crisis is the realization by many decision-makers that lots of in-person meetings that incur significant travel costs can be easily replaced with on-line meetings. While not good for the already decimated travel and hospitality industries, we might experience a new wave of meeting efficiency that we hadn’t anticipated.
  • There is likely to be a major increase, at least temporarily, in the number of victims of cybercrime and data breaches. As employees use their home computers – with inadequate endpoint protection and networks that incorporate hackable routers – to access corporate email and data assets on the corporate network, the security defenses that normally defend sensitive data resources will be bypassed in many cases. Expect a major uptick in security problems until organizations adapt to the new, hopefully temporary, reality of most or all of their workforce working remotely.
  • Similarly, expect a major increase in social media-related cybercrime because people are hungry for information about COVID-19, and they’ll click on links that purport to offer information about it. As noted by Brian Krebs six days ago, a live Coronavirus map developed by Johns Hopkins University is being exploited as part of an infection kit that uses the tool as a component of a Java-based malware deployment plot.

In short, lots of problems to be expected in the near- to mid-term until a combination of decreasing infection rates and whatever new crisis is in the offing move our attention to some different topic.

The Increasing Costs of Ransomware

As discussed in a ZDNet article about an RSA Conference talk from an FBI special agent, $144.35 million was paid in Bitcoin to ransomware-dispensing thugs during the six-and-a-half years ended July 2019. Among the most lucrative ransomware variants were:

  • Ryuk, which was by far the most successful ransomware, generating an average of $3.05 million per month during the 20-month period ended October 2019. Ryuk is responsible for the ransomware attacks that affected the San Diego Union-Tribune, the City of New Orleans, and Lake City, Florida, among many others.
  • Crysis/Dharma, which generated $670,000 per month during the three-year period ended November 2019.
  • Bitpaymer, which generated $350,000 per month during the 23-month period ended September 2019.
  • SamSam, which generated $200,000 per month during the 34-month period ended November 2018.

Interestingly, more than 25 percent of the ransom that has been paid by victims has yet to be spent, still housed in Bitcoin wallets.

Also of interest is the fact that up to 80 percent of ransomware attacks began as brute-force attacks on the Remote Desktop Protocol (RDP), with the remainder of attacks starting as phishing exploits. This, despite the fact that while the typical RDP attack will last for an average of two to three days, only 0.8 percent of them — only one in 1,250 attacks — are actually successful according to Microsoft.

Here are a few steps to combat ransomware, or at least the majority of it’s impact:

  • Minimize use of RDP. A friend at church told me on Sunday that while he was at RSA, his newly-hired subordinate was implementing RDP on all of the corporate workstations despite being told not to do so. Don’t do it if you don’t have to.
  • Use robust passwords. As the FBI special agent noted in his RSA talk, “If you can tell your password to someone else in under 30 seconds, it’s probably not a secure password.”
  • Implement robust security technologies focused on detecting and remediating ransomware before it has a chance to take root.
  • Implement ransomware-resistant backups that will prevent thugs from encrypting backups along with your endpoints.
  • Monitor networks for anomalous behavior.
  • Train users not to click on unknown or suspicious links in emails and on the web.

Ransomware hit a high point in 2016, waned a bit in 2017 and 2018, and hit yet another high point in 2019. We anticipate that 2020 will set yet another high watermark for ransomware victimization.

Some Musings on the RSA Conference

A great RSA Conference in San Francisco concludes today. Attendance was down noticeably compared to last year, no doubt because of fears related to COVID-19 and the pullout of several key exhibitors, including AT&T Cybersecurity, IBM, Verizon, and six of the nine Chinese vendors. That said, there were 614 vendors exhibiting this year compared to 624 last year, so without the (possibly) overblown fear of the Coronavirus, there would have been a year-on-year increase in exhibitors.

Here are a few takeaways and comments:

Wendy Nather gave a very interesting keynote that discussed the need for democratizing security instead of continuing the current top-down, somewhat autocratic security model that is in place today. As noted in a Dark Reading article on the topic and reiterated in the keynote, Wendy said, “I’m going to argue that we should be teaching kids not to comply with somebody else’s security system, but to make good security decisions on their own from an early age — which means we have to get rid of parental controls. We should be teaching kids to make the right decisions with the devices that they are using.” She applied more or less the same thinking for corporate users.

While I am completely on-board with teaching good cyber security practices to users, we need to keep in mind that security is not just about doing the right things. It’s also about defending against a sophisticated, well-funded, malicious, very intentional, and sometimes just plain mean adversary. This is not just about users making good security decisions, as important as that is, but it’s also about enabling security teams to have autocratic authority when it best serves the needs of the company footing the bill and taking the risks. IMO, the best security model lies somewhere between autocracy and the democracy that Wendy proposes.

One of the more interesting products discussed at RSA was Anomali’s Lens+, a web content parser that uses natural language processing to highlight cyber threat information. Lens+ is a browser plug-in that can be configured to highlight text in web pages based on various criteria. It enables threat researchers and others to view web-based threat bulletins, social media posts, articles and other web content and have highlighted for them information related to threat actors, attack techniques, malware families, and other relevant information. Plus, it enables researchers to understand if their organization has instances of these threats already present in their network, and it supports the MITRE ATT&CK framework by showing the TTPs discussed in the content they’re viewing.

Lens+ has the potential to significantly reduce the amount of time that threat researchers spend reading threat bulletins and other content related to their work. Plus, I can see enormous applicability well beyond this space, such as enabling employees to gain additional information about the content they’re reading across a wide variety of subject areas.

There was a very interesting — and fairly contentious — keynote panel led by Craig Spiezle, founder of Agelight Advisory and Research Group entitled, “How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei”. The panel members included Katie Arrington, CISO of Acquisitions for the Department of Defense (which can no longer legally purchase from Huawei); Andy Purdy, the CSO of Huawei; Bruce Schneier from the Harvard Kennedy School; and Kathryn Waldron, a Fellow at the R Street Institute.

Craig, who would have been well served in this session had his former career been that of boxing referee, did a good job at managing the group and keeping panel members more or less on topic. While the session shed more heat than light on supply chain management, with personal political preferences leaking through at times, it highlighted the importance of prioritizing where security dollars need to be spent, since there is no way to make everything secure. As Schneier noted, securing the supply chain is an “insurmountable” problem. Whether that’s true or not is certainly up for debate.

All in all, a great RSA and probably the most enjoyable since I started attending 16+ years ago.

Coronavirus Taking Its Toll on Industry Conferences

Here’s a partial list of the impact that the Coronavirus, known officially as COVID-19, is having on tech industry conferences worldwide as of Friday afternoon, February 21st:

  • RSA Conference, San Francisco
    Verizon today pulled out of next week’s event. They were preceded by AT&T Cybersecurity yesterday and IBM on February 14th. In addition, 10 other exhibitors — three from the United States, six from China, and one from Canada — have pulled out of the conference. Of the nine exhibitors from China that were scheduled for RSA, six have pulled out; the three remaining will be staffing their booths with individuals from the United States. RSA is expected to draw up to 45,000 attendees this year.
  • Mobile World Congress, Barcelona
    This conference, scheduled for February 24-27 and which normally draws about 100,000 attendees, was cancelled on February 12th. The announcement followed LG, Google, AT&T, Airbus, Sony, Cisco, Facebook, Nvidia, Amazon and several other exhibitors announcing that they were pulling out of the show.
  • DEF-CON China, Beijing
    This conference, scheduled for April 17-19, has been put on hold for six months because “China has announced a six-month hold on events like ours as part of the effort to combat the coronavirus outbreak”.
  • Facebook Global Marketing Summit, San Francisco
    The March 9-12 summit, expected to draw 4,000 participants, was cancelled by Facebook’s management “out of an abundance of caution.”
  • PAX East 2020, Boston
    Sony Playstation pulled out of this major video game conference because of fears over the virus.

In addition to these, more than two dozen trade shows in Asia have been cancelled because of the Coronavirus outbreak.