Search
Close this search box.
Search
Close this search box.

Q&A: Eric Wall on Cybersecurity and the Supply Chain

Supply Chain

Eric Wall,
Chief Information Security Officer,
University of Arkansas System

Eric Wall WE LIVE IN weird times, and sometimes people get freaked out. Such was the case last month when news broke that 5,000 pagers used by Hezbollah exploded in their very hands, at the very same moment. It was yet-another bloody chapter in a long history of warfare in the Middle East, but this particular chapter struck a nerve far from the source—all because of its implications for “the supply chain.” We asked the U.A. System’s Eric Wall, one of our favorite cybersecurity experts and an all-around level-headed guy, to give us his thinking on the subject.

——————————————

The detonation of these pagers has caused considerable concern about cybersecurity and the supply chain—for example, some people in China are so worried about their iPhones exploding that they’re destroying them themselves. What’s your take on all this?

There were multiple theories of what happened. Maybe the devices all overheated at the same time, but what are the odds that 5,000 pagers overheated at the exact same time? Not high.

So more has come out and it was an incredibly well-planned operation. Israel had unfettered access to the production lines of these pagers, and implanted three grams of an explosive with another circuit chip that was undetectable. It looked exactly like any pager that didn’t have that stuff. And it just came out that the message that these pagers received was an encrypted message, which required the recipients to hold the pager in their hands and press two buttons at the same time to unencrypt it. All the message said was, “You’ve received an encrypted message.” And you had to push two buttons simply for the reason of inflicting more damage. To blow off both hands instead of one.

Wow. But the interesting thing about this, to me, is that while people are concerned about cybersecurity, these pager explosions were basically old-fashioned. They actually inserted physical explosives destined for their target audience. So this isn’t the same as cybersecurity, is it?

No, it’s not. This was a very specifically targeted pinpoint attack. At the other end of the spectrum of cybersecurity attacks, it’s all “spray and pray.” It’s a numbers game. The more doors you knock on, the more answers you’re going to get. Cyber attackers don’t necessarily know who they’re attacking. It’s just IP addresses. They knock on every door they can, and then when they get a hit and get into the data, that’s when they know if they have a treasure trove or not.

They’re very different, the exploding pagers versus cyberattacks. But when you’re talking about protecting yourself against supply chain attacks, whether it’s a cybersecurity attack or a physical “pager” attack, it’s practically the same things you do to protect yourself—you want to vet your vendors. You want to know everything about your vendors that you can.

In the cyber world, people ask for these things called SOC2 reports. These are reports showing that, at a certain point in time, an auditor came in and checked to see, “Are you doing this and doing this and doing this? Okay, yeah. We’ll give you a SOC2 attestation and say that you’re SOC2 certified.” And then you can give that to potential customers.

I’ll take those from vendors, but they don’t mean much to me because they’re point in time. They’re also something that depends on the diligence of the auditor who’s doing the checking. Is he really looking hard, or is he just going, “Eh, looks good to me”?

What we at the UA System like to do is a more active investigation into the vendor using a tool to do ongoing monitoring of vendors. Looking at them from the outside, looking at their website, looking at their IP addresses, looking at their Domain Name System, looking at their mail setup, looking at all these services that are presented to the Internet—just like an attacker would, right?

The attacker is just sitting there, hitting IP addresses and pinging things and trying to see what responds and see what might be a little sliver of a crack that they can stick their foot in your door. And so those kinds of tools can give you more of a realistic view of how careful your vendors really are, instead of that SOC2 report, which might have been done four months ago or two years ago.

Maybe it’s just me imagining, but I’m feeling like we’re entering a new phase of cybersecurity dangers because of A.I. Do you agree with that, or is it just the same as usual?

No, I think you’re right. As much as A.I. helps us craft our emails and sound more intelligent than we may be, it also helps the cyber attackers. The Nigerian Prince emails that you used to receive, with terrible grammar and lots of misspelled words, those are going to go away because the bad actors can also turn out a better-written email.

And I think the next scary A.I. hurdle that we’re going to face is what we call “adversarial A.I.” This is where potential attackers start feeding the A.I. engine data about you specifically to start scraping for a summary of your stance, a summary of your cybersecurity posture. And just as you can ask A.I. to look through your emails and “summarize my inbox for today and tell me the top three things I need to worry about,” an adversary would also be able to say, “Hey, summarize the biggest vulnerability that you can see about this organization, and tell me the quickest path that I could get in.”

That’s not going to be so much the spray and pray that attackers are doing right now. It’s going to be a little more targeted, and we’ve seen cases where adversaries specifically say, “I’m going to take down Target or Visa or Microsoft,” and really try to hammer them.

I don’t think that’s going to be something that everybody’s going to get hit with all at once, but eventually, the efficiencies that adversaries are going to gain through A.I. are going to be important for us to keep an eye on.

I read the other day about the very young age of some of these hackers. One of the top ones was a kid age 15. They’re moving from video games to vanquishing real foes. What do you know about that?

Yeah. I recall that in one of our previous conversations, I talked about “ransomware as a service,” where what I called “script kiddies” could just buy a package and didn’t have to have any hacking skills themselves. They could buy this package from experienced attackers and just run the package, and see what they could get. They have to forfeit half of whatever they get to the people that provided the package to them, but they get to keep the other half. It’s free money. And they have fun doing it. It’s like you said, instead shooting pixels, they’re firing off packets.

I think that A.I. has definitely contributed to that and will continue contributing to that, just making it all easier. I hesitate to call them “script kiddies” anymore because they’re getting a little more advanced than that. They’re kids by age, but it’s almost like they’re “conversational kiddies” now because you’ve got to prompt the A.I. engine a little bit to get what you want out of it. If you go to ChatGPT and ask how to make a bomb, it’s got guardrails and it’s going to say, “Sorry, I can’t help you with that.” But if you ask it, “Hey, tell me a chemical reaction that causes rapid extreme heat,” it’s very likely to answer you. So it’s not necessarily the tool. It’s how to get around the guardrails of the tool, which takes some sophistication.

I want to go back to the supply chain for a minute. Like you say, no one’s targeting you, and, hopefully, not me and my iPhone either. But the scariness of the pager explosions is a real thing, no?

Yeah, the public panic aspect of it is definitely there. But I think that we, as Americans, feel a little bit shielded from that. Remember, some company let that happen. Imagine the legal fallout if Apple, for example, allowed that to happen here–or anywhere, for that matter. Apple has so many incentives to not allow that to happen, and they’ve got a pretty good track record. I don’t want to fully endorse Apple as a company, but they’ve got a good track record of protecting your data and refusing to even unlock your data for law enforcement.

So at some point, you’ve got to trust someone. You’ve got to live life. You’ve got to try to not live in fear. You’ve got to walk outside and get in your car, and go down the street and get a cup of coffee.

Good advice. So what other recommendations do you have for all of us who are just trying to do our jobs and get through our days while cyber attackers continue to refine their craft?

My best advice is, continue to mind your gaps. Make sure you’re being diligent. Use a password manager—go through all your logins and make sure each password is unique and random. Buy your parents and grandparents a subscription to a password manager for Christmas and spend a few hours this holiday season working with them to change their passwords. Teach them how to generate passwords and save them to their vault when they sign up for an account at a new website. Make sure that you’re not sharing MFA codes. I get so many trash texts. I’m sure you do too.

I get texts, I get emails, and I can’t get rid of them.

Yeah, well, you mark it as spam and they’re just going to message you from another number, or send you an email from another email address, and it’s just Whac-A-Mole. So don’t share sensitive information with anybody that you don’t know. If you get a text from an organization saying, “Hey, look, your Bank of America account, we need to do something,” don’t trust it. Pick up the phone and call the trusted number that you know. You initiate the conversation. If someone else initiates the conversation with you, don’t trust it. Just be diligent. Teach kids how to be diligent. Teach your grandbabies how to be diligent. It’s sad that we’ve got to do that now, but we do.

I love the Internet. I really do. But I don’t love all the things that the Internet’s created and caused—misinformation, disinformation. So vet your sources, check your stuff, and don’t believe everything that shows up on your computer or phone. I think it was Abraham Lincoln who said, “Don’t believe everything you read on the Internet.”