How has the coronavirus pandemic created an opportunity for bad players like the Chinese regime to steal data from major corporations in the West?
What steps can companies and individuals take to fend off these attacks?
And how is the Chinese Communist Party spreading false propaganda about the virus as part of its information warfare campaign?
In this episode, we sit down with Gregory Barbaccia, a former Intelligence Sergeant in the US Army and former head of Palantir Technologies’ internal threat intelligence team.
This is American Thought Leaders 🇺🇸, and I’m Jan Jekielek.
Jan Jekielek: Greg Barbaccia, so great to have you on American Thought Leaders.
Gregory Barbaccia: Thank you for having me.
Mr. Jekielek: So, Greg, you are an expert in counterintelligence. In the past few years, we’ve been learning a lot about the great extent of the cyber attacks that have been coming out of communist China. You have a very interesting perspective on this as this coronavirus situation is hitting and people are working from home. When we talked offline you described to me a pretty scary situation. Tell me about what you’re seeing. We have all these people who are working from home. And now what we call the cyber attack surface is much wider.
Previously, you’re in an office on your office endpoints that are provided. They’re generally secured behind a virtual private network, and various types of firewall technology, both software and hardware appliances. What we’re seeing now is people are working from home. And now the security of the information passing back to their companies is only as secure as the weakest link in their personal network infrastructure. Tell me in laymans’ terms, what does that mean exactly? What are the implications?
Mr. Barbaccia: Let’s say you’re now working from home remotely on your personal laptop. You’re no longer on a company laptop that probably has an image that’s strictly set by your IP or infosec team with antivirus technology, firewall technology. So right away now the actual physical device you’re on is vulnerable. Also, you’re connecting to your normal home router, Netgear for example, is the most popular router in the United States. They had a pretty large vulnerability they were scrambling to patch a few weeks ago. So now you’re introducing how vulnerable your wireless router is. Then you’ve got modems… who’s using what type of technology to get to the big internet? Am I doing a hotspot off my phone? What type of phone is it? What type of service provider am I using? There’s just so many more ways for what is called a “man in the middle attack” to occur or people just become victims of their own poor cybersecurity hygiene.
Mr. Jekielek: You could imagine spies trying to use the pandemic as an opportunity.
Mr. Barbaccia: Absolutely. This presents an exciting opportunity for an adversary to collect a ton of intelligence on the employees of a company they’re targeting. Specifically, think of a clear defense contractor that’s working on classified contracts with the US government. Previously, the target has to be the technical infrastructure of the office building. [They] have one place to attack. Now let’s say your email server is compromised at the corporate level through any various means.
Now everyone is sending emails from their home networks. When you send an email, the header has certain metadata associated with it. Header information includes the originating IP of where that email came from. When you’re in the office, usually everybody’s exiting on the same router internet connection. So everybody’s getting the same exit IP address, especially if you’re behind a virtual private network. Now at home, if you’re able to collect the metadata based off company communications, and this could be things, you know, Slack is super popular, you will be able to map the IP addresses of all the employees of that company. And with different levels of granularity, you could get very close to geo-locating those employees. From there, you could plan an entire operation to use human intelligence and other attack methods.
Mr. Jekielek: So do you think this is happening right now?
Mr. Barbaccia: I would be surprised if the MSS (Ministry of State Security) in China is not thinking about this or would miss an opportunity this large of a scale.
Mr. Jekielek: It seems like the Chinese Communist Party isn’t really missing any opportunities. You know, there’s a ton of evidence that the virus originated in China, that it was that Chinese mismanagement and censorship and disinformation that allowed it to spread to the extent that it has. At the same time, the Chinese Communist Party is saying that it’s got everything under control, that in fact, it’s coming to the salvation of the world, so to speak. What do you make of this?
Mr. Barbaccia: It’s classic disinformation, they’re doing anything they can to make the United States look bad, such as saying this was a biological warfare attack by the US Army, which is ludicrous. They’re using any opportunity to make them[selves] look good. [For example,] the goodwill of them providing information now, way too late, or medical supplies in the manufacturing of PPE (personal protective equipment).
Mr. Jekielek: You have experience working in intelligence in these sort of types of crisis situations. What exactly did you do?
Mr. Barbaccia: I come from a tactical military background. I was an intelligence sergeant, active duty in the army for five years with deployments to … Afghanistan. After that I worked in the intelligence community doing strategic level intelligence in DC, focusing on counter-ID activity for our troops overseas. And then for the last 10 years, I’ve been at a clear defense contractor that was making very exciting technology that’s in use in the battlefield for the US intelligence community in the US. We call it military partners. So I was in charge of protecting [against] the Chinese government from using either overt or clandestine means to purloin that technology and understand our new capabilities.
Mr. Jekielek: What can folks who are working from home do? And what should companies be doing to prevent these mass collection scenarios?
Mr. Barbaccia: Your personal cybersecurity hygiene is very, very important. You need to understand the type of devices you’re running on. Whether you’re on Windows or Mac, you need to make sure it’s updated regularly with all the security patching, you need to make sure your router and your modem have the updated security patching, and all the latest firmware. And then you just need to be smart. You need to not be going to suspect websites, things that are coming from China. You need to be smart about all the stuff we hear about, [for example], phishing. What am I clicking on? Does it make sense that this company is asking for my login information? And is this website legitimate? You want to be using SSL, the difference between HTTP and HTTPS.
And the biggest vulnerability I see that people have simple passwords. They’re reusing passwords on a number of sites. And breaches are so ubiquitous that this is such a rich trove of information for an adversary to build a picture about you. It’s called Open Source Intelligence. So you’re basically saying the best thing you could do is change your password to a more complex one. You should be using a password manager. You should not know any of your passwords, no matter how much duress you’re under. There are commercial solutions available. They automatically populate your passwords.
I’m a fan of using obfuscated usernames too. The problem is if I’m using firstname.lastname@example.org with an easy password, that leaks to the dark web. A lot of people reuse those passwords, so an adversary will go try all the social media accounts to see if I’m using that same password. And also, I’m using my name and the username which identifies me, you’re usually better off using random numbers or letters.
Mr. Jekielek: So what about in a corporate situation? What should companies be doing to secure against this increased threat of people working at home?
Mr. Barbaccia: Companies must ensure they implement a virtual private network, which means you cannot get to corporate resources from big internet. You have to have tunneling through the corporate internet connection to even get to the resources. So I can’t go to the library and log on to any public computer and just get to my sensitive corporate resources. Things like email are a little different through technologies like Office 365, for example. But if you want to get to a company’s internal data, you should have to credential in, through a virtual private network. And there should be two- or three-factor authentication. Two factor: First factor is a password that you know; the second factor being a code that goes to your device as some sort of authentication app. …Third factor authentication is a physical token. So even if you were to get my password and my two factor authentication device, you still need a physical token to log into accounts.
Mr. Jekielek: What’s a physical token?
Mr. Barbaccia: Usually you see them in one of two ways. Google Titan has technology. YubiKey is a popular one. And it’s usually a USB device, you plug directly into your computer, or an old serial bus. And what we’re also seeing now from mobile devices and Bluetooth computers is a Bluetooth dongle. You leave it on your keychain and you could push the button for the authentication.
Mr. Jekielek: It might be tough for some of us to do it personally. But I think in a corporate setting, this would make a ton of sense.
Mr. Barbaccia: Biometrics are popular now too. Some Mac hardware endpoints come with fingerprint readers. You’ll see that you need to scan to unlock the device as well, which I’m a big fan of.
Mr. Jekielek: Are you saying that people are unlocking these things remotely?
Mr. Barbaccia: It’s certainly possible. When an adversary gets physical access to the device, all bets are off, especially when you’re dealing with an adversary as sophisticated as China. They have a tremendous amount of technological capability. It’s also no secret that when they get access to a device, they take the contents even if the contents are encrypted, because they understand that while they may not be able to decrypt and read the contents now, in a few years, technology will probably catch up and they’ll be able to.
Mr. Jekielek: What is the level of sophistication that the CCP has?
Mr. Barbaccia: I think [their] signals intelligence capability is world class and the public opinion of most intelligence professionals [is that they are] a near peer to the United States in that regard. So what industries would you say are most at risk here? Certainly high tech and national defense. We’re talking about things like AI, machine learning, robotics, people who are building large platforms, the giant government and industry around the Beltway generally.
Mr. Jekielek: Which industries work from home the most right now?
Mr. Barbaccia: From my experience, it would be the high tech industries that are building platforms that the giant defense platforms work off of. There are certain industries when you’re building physical infrastructure for the government that have to be done from a factory. Luckily other very susceptible industries are highly regulated—things like finance, things like health care—they are simply not permitted to work from home. So there’s slightly less risk on those industries, which is a good thing.
Mr. Jekielek: So people working in healthcare are actually going into the office because they’re an essential industry.
Mr. Barbaccia: Not only are they essential industries; they are covered by very, very heavy regulations. When they’re dealing with financial transaction information, trading, things like that, when you’re dealing with public health information, there’s regulations around exactly what systems are allowed to hold and process that data. So you simply are unable to open a personal laptop in a lot of these instances.
Mr. Jekielek: So you’re not worried that it’s exactly these industries that are more vulnerable due to the nature of this crisis?
Mr. Barbaccia: Everybody’s more vulnerable. I think they’re slightly less susceptible to being taken advantage of here. But the flip side of that if they were to be exposed, the risk to the economy would be far greater.
Mr. Jekielek: A lot of folks watching this show might not be terribly technically inclined, but they might still be concerned. What can they do themselves?
Mr. Barbaccia: Telecommuting and virtual teleconferences mandates the use of microphones and cameras, either external or embedded in your machines. You have to be very smart about these, there are tons of historical precedent where these have been attacked and activated by adversaries or simply criminals. Make sure you’re doing simple things like knowing when it’s on or off, and physically blocking the aperture of the camera so it can’t be spied on remotely.
And another really important thing is… when you leave your machine, just simply lock the operating system. Also when you’re not using the machine, shut it down completely. That way it has no active connection to the Internet. This is different than putting it to sleep. … What you’re doing is minimizing the threat surface; you’re making the amount of vectors available for an adversary to target far smaller.
Mr. Jekielek: What about Echoes and Google Homes?
Mr. Barbaccia: That’s what is called the Internet of Things. There are over a billion internet-connected devices right now. Think of things like your smart TV, the aforementioned virtual assistants, Siri on your phone, smartwatches, your pedometer, that’s sending things to the cloud… These are all susceptible to tracking by a highly technically sophisticated adversary.
You will really be surprised how many things around your house are connected to the internet—things like coffee makers nowadays, refrigerators, Nest cameras, smart home thermostats. There’s simply so many things that are connected to your network right now. It’s really shocking.
Mr. Jekielek: What precautions could people take for these types of devices?
Mr. Barbaccia: Make sure you understand what information is getting sent and make sure you understand the privacy settings of your device. There’s a couple layers to protecting yourself here. One is understanding what information is broadcasting. The second one is how to obfuscate your identity with that information. So earlier I mentioned using usernames for accounts that aren’t your real name. That way, it’s harder for an adversary to… take all these different pieces of intelligence, and try to piece them together to make a holistic view of my target audience.
Mr. Jekielek: Is there any evidence of increased cyber espionage happening right now?
Mr. Barbaccia: I have not seen evidence that’s been released to the public, but you would have to assume it is happening. Some people say that the MSS has bigger things to worry about. But they are laser focused on espionage against the West, primarily against the United States. So they don’t care what kind of pandemic’s happening. They’re just worried about where their information is coming from. The Thousand Talent program (the transfer of technology from the United States to China) is generally done through Chinese nationals who are coming here and are usually unwittingly getting involved. Or they are being coerced to send intellectual property and high tech research and development back to the Mainland. The problem is that with travel restrictions, they’re losing the amount of human bodies they have in the United States to directly collect intelligence and send it back. So they have to mitigate that. They cannot allow for a drop in their intelligence collection. So what you lose in human intelligence capabilities, you have to make up for either in trying to co-opt non Chinese national sources of human intelligence, or targeting the technological vulnerabilities that exist. As this situation goes on, what is your expectation?
Mr. Jekielek: Are these attacks just going to start increasing?
Mr. Barbaccia: …As this is impacting Chinese human intelligence espionage operations in the United States, they’re going to have to focus much more heavily on technological and signals intelligence collection. That means they are going to have a gap in about six months to a year of how much collection they could do against the United States. And even more importantly, than purely the amount of intelligence collected, they’re losing their way to coerce their co-optees into working for them. So this pandemic has shown a few things that are very bad for how they influence our population. One, it’s showing economic fragility in China, which they do not like getting out. And more importantly, it’s showing that these talent programs say they’re investing in you… but what you’re really seeing is that the party is only interested in supporting science and facts that support their agenda and their propaganda. Once something doesn’t take the Party line, they’re very literally, dismerging people. And they’re literally letting people die when they don’t stay in step with the propaganda. That is very bad for the recruitment of people in the future.
Mr. Jekielek: That’s a very interesting perspective I hadn’t considered before. How does CCP intelligence gathering differ from the intelligence gathering in the West in terms of methodology?
Mr. Barbaccia: The Chinese intelligence infrastructure, it does so well because everybody in the country is a co-optee, whether they’re witting or unwitting. [The CCP] just exerts so much control over the population. And with the amount of surveillance and the amount of data they collect, they know everything about everybody. So they have so much of a capability to exert control and influence over their population. In the United States, it’s just not done that way. We use our own intelligence services, we partner with partner and coalition intelligence services. We do not co-opt United States’ innocent citizens who are in foreign countries as a matter of doctrine. It’s just not how the United States operates.
Mr. Jekielek: It seems they collect everything whether it seems useful or not. Sometimes it’s just casual things that no one would think of as being important or classified, but then they amalgamate them to paint a broader picture on someone or a situation.
Mr. Barbaccia: Open Source Intelligence, which is defined by collecting information that is not secured, that you don’t have to intercept or crack. That is the single largest producer of intelligence right now. That is more than technical capabilities at the national level. And it’s all about putting these pieces together, [tracking a leaked password across multiple platforms]. Social media and Facebook is just the best thing to happen to people who are doing counterintelligence targeting, maybe ever.
Mr. Jekielek: Just to be clear what you’re describing, is that the US intelligence collection, Chinese, or both?
Mr. Barbaccia: Both, this is and it’s done in the civilian sector, especially in law enforcement.
Mr. Jekielek: So Greg, let’s switch gears here a little bit. And tell me a little more about what you’re seeing on the information warfare side of all of this. What is the CCP doing now?
Mr. Barbaccia: While this pandemic is terrible for them as well, it also gives them a great piece of information here and a great narrative to develop. This narrative that this (the virus) is a capability that was deployed by the United States military, or the United States intelligence community. Had they not had this epidemic to point to, they would have to be making things up. It’s interesting to watch this as a one of their core doctrines. … They’re making lemonade out of lemons here. “There’s something terrible that’s happening in our country. But how can we use this to exert further information control on our population and demonize the West?”
Mr. Jekielek: The Chinese Communist Party told the World Health Organization in mid-January that there was no human to human transmission. The WHO published that as fact and misled most Western countries. What do you make of that?
Mr. Barbaccia: It shows a very troubling influence of China to the WHO. …It’s being used to make the United States response look bad, and to sow discord among the population, and frankly, it’s working.
Mr. Jekielek: Any final words?
Mr. Barbaccia: We are our own worst enemies in these situations. You simply need to be smart. You need to make sure you know what type of devices [you’re using], what the vulnerabilities are. Just get online and look at cybersecurity best practices. You don’t want to be the weakest link for your company.
Mr. Jekielek: Do you have a website or checklist to recommend?
Mr. Barbaccia: I have a blog. It’s called Intelligence Et Cetera. www.intel-etc.com. You’ll find my cybersecurity hygiene best practices there.
Mr. Jekielek: Greg, it’s such a pleasure to have you on.
Mr. Barbaccia: Thank you Jan.
For best practices to protect your data, visit Barbaccia’s website: https://intel-etc.com/