Artificial Intelligence & Machine Learning , Cyberwarfare / Nation-State Attacks , Finance & Banking
ISMG Editors: China-Linked Espionage Targets US Telecoms
Also: Highlights from ISMG's Financial Services Summit and Key Insights on AI Adoption Anna Delaney (annamadeline) • November 22, 2024On the 200th episode of the ISMG Editors' Panel, the team discussed the major China-linked cyberespionage campaign targeting U.S. telecommunications firms, highlighted key insights from ISMG's Financial Services Summit in New York and unpacked the top findings from ISMG's annual Generative AI Survey.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Tom Field, senior vice president, editorial; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discussed:
- Highlights from ISMG's Financial Services Summit held in New York, and key topics on account takeover, CISO leadership expansion, and the rise of machine identities;
- How T-Mobile and other major U.S. telecom providers were targeted in a sophisticated China-linked cyberespionage campaign and the broader implications for national security;
- Key takeaways from ISMG's Annual Generative AI survey, which reveals increased AI adoption, ongoing security concerns including data leakage and AI bias, and the complexity of AI implementations.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 8 edition on U.S. election impact on cybersecurity and HIPAA and the Nov. 15 edition on ransomware - the growing public health crisis.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to episode 200 of the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll unpack a major China-linked cyberespionage campaign targeting U.S. telecoms, share insights from ISMG Financial Services Summit in New York and dive into key findings from ISMG's Annual Generative AI Survey. Joining me today is the same incredible team from our very first episode back in March 2021 - Tom Field, senior vice president of editorial; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Tony Morbin, executive news editor with the EU. Welcome team and congratulations. Mat, this week, you reported that T-Mobile and other major U.S. telecom providers were targeted in a sophisticated China-linked cyberespionage campaign. T-Mobile has confirmed no sensitive data was breached. However, the attack raises serious concerns about telecom vulnerabilities. What more do we need to understand about the scope of these attacks and their implications for national security?
Mathew Schwartz: This is an interesting story to be having happened while we're in the ending days of the Biden administration and before Trump comes into office, because a lot of people are foreseeing him taking a more pointed approach to China relations, and this certainly could be fuel for the fire, because what has been unfolding here, and the Wall Street Journal in particular, has been ahead with reporting on this campaign, which appears to have been running for eight months or more. It's not clear that all of the telecommunications firms that were targeted were necessarily breached for that long, but this appears to have been a multi-pronged campaign with national security targets that is likely being run by the Ministry of State Security in China so as a cyberespionage operation intending to gather information of use to the country's intelligence services. What appear to be the parameters of this campaign? What we know so far is big U.S. telcos, including Verizon and also Lumen, we mentioned T-Mobile and also AT&T, are known to have been hacked. Now AT&T, Verizon and Lumen have lost some significantly critical or sensitive data. It's not clear how many individuals have been affected. There's rumors that Trump, JD Vance could have been targeted again, though we've got no public information about the precise targets or who did fall victim. Apparently, some countries closely allied with the U.S. were also targeted. This might involve Five Eyes intelligence sharing alliance members such as the U.K., Canada. We don't know that yet, either. What we do know is the FBI and also CISA are probing these attacks, working very closely with the telecommunications firms. The U.S. government has confirmed the attacks as well. They are the work of a group codenamed Salt Typhoon. Microsoft's come up with this naming system where typhoon refers to China and this one is salt. Again, this goes back to the Ministry of State Security. This is a broad and significant cyberespionage campaign says the U.S. government, which again, is attributed to Beijing backed attackers. Some of the wrinkles here are that the attackers appear to gain access to backdoors that are in telecommunications networks precisely so that they can comply with court ordered eavesdropping. The attackers have basically used the government's eavesdropping tools against it. It's a reminder that if you build a backdoor or if you weaken encryption, then not just the good guys might be getting access to it. What's been compromised, customer call record data, private communications for what are supposedly a limited number of individuals who are involved in political or national security activity, and again, with some of the information that could have been gathered for court ordered eavesdropping or surveillance. Lots of information still to come out about all this, T-Mobile took pains to tell me that nothing sensitive was stolen from its systems. No customer data was stolen from its systems. We often hear organizations say there's no evidence that stolen data was misused, but T-Mobile is saying something different. It's saying there's no evidence this information has gone missing after its in depth probe. So if that's true, seems to be, kudos to T-Mobile for not losing info. That doesn't seem to have been the case with some of these other major telecommunications firms. Allegedly the attackers have gotten in such ways as exploiting vulnerabilities in Cisco routers. There's probably a lot more to come out about that as well, because if the Chinese nation state hackers are breaking in that way, I'm sure the criminals will be soon, if they aren't already. This is threat intelligence that everyone's going to need to be putting to use. You've got Congress asking for briefings by the telecommunications firms. There might also still be a bit that just isn't yet known as the FBI and other agencies continue to provide these tax.
Delaney: Great analysis and reports suggest that these attacks focus on individuals tied to national security, perhaps. How do you see this affecting the cybersecurity priorities of telecom providers? And as a follow up, what are the cybersecurity lessons leaders can learn?
Schwartz: It's going to be interesting to compare and contrast the telcos that did and didn't lose data, assuming there's any of them that didn't. T-Mobile says that, yes, they got in, no, they didn't take anything of any value. If that's true, then why did they fare so much better than some of the other telcos? Is there a need for greater regulation of telecommunications in the United States? It is a critical resource, and if the telcos don't have the defenses, or some of them don't have the defenses in place to safeguard things like the incoming presidential administration's communications, then maybe somebody needs to light a fire there.
Delaney: More questions than answers. As you said, great stuff. Thanks, Mathew. Tony, you've been leading ISMG's Annual Generative AI Survey. Could you share some of the key initial findings?
Morbin: As well as our 200th issue, it's also the second year anniversary of ChatGPT demo version being launched by OpenAI, Nov. 30, 2022, so I'm just going to lead into it. Two years ago, OpenAI launched with ChatGPT. It's now valued at some 29 billion. Gen AI adoption figures are meant to include 75% of Indians having used it. The gen AI market is valued at 67 billion this year and growing rapidly. Security concerns do remain, and they are deterring some from adopting the technology, either through caution or even outright rejection. Before going on to some of the findings of the second Annual Generative AI Survey from ISMG, I also want to mention a couple of comments that I heard at a round table that I attended in London, seated next to each other, were representatives from the U.K.'s National Health Service and from a leading private health insurer. The health insurer implemented AI and purpose use cases, and that ranged from triaging treatment inquiries to running its customer retention program, and the latter was reported to have driven retention rates from 25% to 90% so that had saved it some 90 million pounds in the process. In contrast, the public sector, NHS reported moving forward with an abundance of caution due to the fundamental priority of ensuring public safety and data privacy. Certainly there was no rejection of the benefits of AI, but those benefits aren't currently being achieved at the NHS, which kind of highlights the need to address the security concerns around AI to get that bigger uptake. The security concerns are real and the returns on investment are often not achieved due to the complexity of integration, the skilled staff available for implementation and the variability of use cases. What our own survey did show is that there is increasing confidence in using AI. Those outright rejecting AI use, banning it, fell from 30% in our first survey to 9% in the current survey. Over the same period, there was a doubling in the implementation of AI from 14% had implemented it to 28% and that doesn't even include a further 32% say that they do have it in a pilot phase, so more than half have some kind of AI usage, while 25% say they're investigating it. It was also interesting to see that 30% of respondents now say that they've got a specific budget for generative AI solutions, and that's more than double the 13% saying the same a year ago. In fact, 51% of respondents said that they have specific plans to purchase AI solutions over the next year. When we come back then to the concerns, it's no great surprise that data leakage is, you know, and leakage of sensitive data by staff is a top three concern for 70% of respondents. There was an equal level of concern about the ingress of inaccurate data hallucinations, along with AI bias and ethical concerns. I mentioned my 58% of respondents. I'm not sure if I should run through the whole list here, but it was things like understanding reproducibility of the algorithms, decision making, lack of transparency of data sources used in learning, potential compromise of compliance with regulations and standards, inaccurate decision making, lots of skills and understanding the underlying processes, meaning that they have an inability to revert to manual, poisoned copyright IP, particularly when building software, so you've suddenly got copyrighted material in your software. Probably not so much in our industry, but existential threats were cited by 17% and while that figure might sound low, we're talking about nearly one in five business and security leaders worried about humanity's existence due to AI. Existential threats is pretty big in that context. One of the particularly interesting aspects of the report was a free text section where respondents who had implemented gen AI were asked, what was the biggest difference between what you expected and the reality. There was a huge variability in responses. From the highly positive comment like ROI has been orders of magnitude higher than expected to damning negatives, like the squeeze isn't worth the juice doesn't live up to the hype. Where we're seeing material gained from implementing AI, there are also the voices of painful experience, such as it's hard to implement as we lack the skills that we thought we had, or expectations that the media portrays as the solution for all use cases and problems. The reality is that only certain use cases are feasible at present, or requires extensive training, testing before deployment, plus observation, how little employees know how to use it and how little leadership values its potential. There was another comment saying, reality is that to make gen AI tools secure and compliant with fast moving Laws and Technology that's behind is a challenge in itself. In reality, what we see is that AI has a hallucination rate, and what it does today is not at all what was stated in the majority of marketing articles. We need to engage and do hands on work to identify the reality and then translate this without marketing in a practical way to business who can then build use cases based on reality. While the negative comments were about two to one over the positive, the positives were often effusive. There was responses like our experience with AI has been very positive, exceeding expectations with its high accuracy and speed. The biggest difference was how quickly it could deliver precise insights, far surpassing initial projections. Factors likely to influence this divergence in outcomes will include the specific use cases deployed. Who was going for the low hanging fruit and who was trying to put a saddle on a cow, the models that we use, the legacy systems that the integration issues that they cause the capabilities of the organization in implementing gen AI and the level of expectation due to the hype and marketing. There are gains to be had, but it's certainly not as easy to implement or as universally applicable as some proponents suggest. Real security issues remain and while AI targeted DLP solutions do exist. Not all concerns have been resolved, and there are new ones likely to arise. When it comes to gen AI, I'd basically say we're yet to define, let alone achieve, that elusive balance between innovation and security.
Delaney: Lots of great findings there that we can unpack. But just wanted to know what surprised you there and anything unexpected in these findings?
Morbin: Both the deniers dropping by two thirds and the usage doubling. I know we've had a lot of hype about how AI is being used, and on one level, the doubling is surprising for any new technology to have doubled its usage in that short space of time. And yet, on the other hand, it's 28% are genuinely implementing it, which is probably lower than some of the hype might lead you to believe so that, and also, the people found it a bit more complex to implement than I thought they would find it. People have had a lot of difficulty with the nitty gritty of just getting this implementation done.
Delaney: Interesting! One of Forrester's predictions for 2025 is they see CISOs deprioritizing gen AI usage, they're not seeing the productivity gains they thought they had anticipated. Maybe there's something in that. Thank you, Tony. I look forward to reading the report in full. Finally, and just for fun, looking back to when this panel first began in March 2021, what's one major shift you've noticed in cybersecurity over these 200 episodes? Is there one hot topic from those early days that now feels slightly nostalgic or even laughable?
Field: Since we started this, I finally had the opportunity to meet both Tony and you. We had been virtual colleagues for some time before then, but in 2022, we had the opportunity to meet. That's one big change. The other thing I would say is that remember we used to talk about the new normal. We don't say that anymore, but the reality is that we do work from places now that never would have been allowed before we started this series. People work on devices that never have been allowed to connect to networks before this series began, and they use networks at home or on the road that never would have been sanctioned before this series. Where it comes down to is that we do have the largest potential attack surface in history. We're only growing it, and it means that we're going to be here for a good 200 episodes more, easily.
Delaney: Tony?
Morbin: In 2021 we were just coming to terms with the pandemic-induced work from home, and worrying how we could secure our remote workers accessing critical systems. DDoS was also a big concern at the time, and now we've seen ransomware continue to evolve, grow double and triple threats, and also discovering exactly how cyber plays out in warfare, becoming an integral part of hybrid-war, but not the expected game changer, whereas the game changer that we are seeing, of course, is all things AI and automation. It's been a real time of tumultuous change, and it's just accelerating.
Delaney: Yes, very different geopolitical landscape, but we're not talking about unprecedented times so often in our instant interviews. Mat, what about you?
Schwartz: The Ukraine war, and that we still don't know the trajectory of that. Like Tony said, a lot of stuff that seemed black and white, like cyberwar might happen, cyberwar won't happen. Things have been a lot more nuanced, and it's still not clear where all of that's going. One of the big surprises were the red lines that we've seen Russia and allies abiding by. It hasn't been Armageddon, thankfully. That is a huge question. Another big question for me again, as we face the change in administration is, will we be looking back in a few years at what was maybe the myth of historical progress on the cyber front, what may or may not get rolled back in the U.S., and where will that leave us in a time when, arguably, we need more, not less, cybersecurity leadership? Are we going to get it? That's an open question, and what the impact could be is an open question. Not trying to end on a depressing note, but tough times ahead, potentially.
Morbin: Yeah, I hope we're not looking back to the days when we had CISA.
Delaney: I was looking at our very first editors' recording. We discussed nation-state threats, supply chain risks, adopting a zero trust strategy, ransomware trends and cyber insurance and what have you done today The core challenges might not have changed, but certainly the acceleration of gen AI advancements, the increasing complex supply chain, have certainly raised the stakes. There was a time though we spoke about zero trust on a weekly basis, certainly on these panels, maybe a little less now, maybe that's because of the EO, maybe the cyber-suit, the zero trust sector order, maybe.
Morbin: Underlying a lot of things, though, even if it's no longer because, like everything you know, it gets popular, gets a lot of hype, and then people jump on the bandwagon about things that are not zero trust or branded zero trust, but the underlying fundamental of zero trust is still there in virtually all the conversations.
Delaney: That's probably the reason. The human error challenge hasn't gone away, and it is incredible to think this was a time before ChatGPT, which feels nostalgic in itself. Thanks to you all not just for your insights today, but for your hard work and contributions over the years on the Editors' Panel. Until next time.