Interview: David Wiseman – ‘I don’t think there’s any limit to what people would do to gather information’

With a range of global conflicts driving a rise in international tensions, cyber espionage is making headlines around the world, from Chinese hackers targeting entities in its sphere of influence to Russian-backed threat groups taking on their counterparts in NATO.

But what does that look like in our own Australian backyard?

We sat down with BlackBerry’s VP of secure communications, David Wiseman, to answer just that question.

Cyber Daily: We know that cyber espionage is probably, I would imagine, at one of its highest points in recent years, given what’s happening around the globe and the various conflicts that are fuelling it. But I’m wondering if you can dial into what that landscape might look like in the ANZ region and what impact it might be having on our businesses and agencies.

David Wiseman: Absolutely.

My particular focus is secure communications, so calls, messaging, all that type of stuff. But obviously, that’s an important element of cyber espionage, and it plays into the whole area of signals intelligence. It’s not a new topic, but it’s always evolving, and always, becoming more challenging.

And I think if we think about the ANZ region, it’s at a particularly higher risk, maybe, than some others. The reason I say that is because of the close partnerships that Australia has with AUKUS and the other Five Eyes countries, and it becomes a target due to this type of political, technical, military information more so than other countries where it might be more economically focused and intellectual property-focused, which is certainly the case in Australia as well.

But Australia, I think, also has a much more geopolitical focus from very advanced adversaries. With that in mind, I think it’s important to think about how people are communicating, and by communicating, I mean the technical means of communicating, and what are the potential risks and areas they should think about.

VIEW ALL

And that’s some of the things I talk to governments… Five Eyes governments and other governments around the world.

CD: So given that you speak to a lot of governments, and I imagine governments that are far closer to some of these threats than we are, despite what you just said, I’m curious how the NATO countries might be adapting to this environment because I imagine what they’re doing is probably what we need to be doing as well?

David Wiseman: We actually work very closely with NATO itself, as well as a number of the member countries, and one of the things we see there, and we’ve been doing so for a number of years, is that within NATO, in the past, there was a lot of focus on protecting the communications of senior officers, seniors officials. And by communications here, I mean things on their mobile phones and their emails. There are always official radios and stuff that are protected, but I’m talking about their general everyday communications.

So there’s been a focus on it, and particularly where you have the different countries, and geographic distribution, not as broad as all the way reaching out to Australia, but still significant distribution, the people in different time zones, they’re going to reach for their phones. They’re going to have those communications, but what the difference that we’re seeing now is they’re starting to push that down to lower and lower levels in the organisation, like lower officer ranks, and senior enlisted staff.

The reason is because of the overall situation that NATO is facing right now; there are very aggressive intelligence programs that are targeted, specifically, at people in the military, and particularly those assigned to NATO and the depth of what the protections that need to be done, coupled with a policy thing of … People need to be more careful in general and think about how they’re communicating information more than maybe they did three years ago.

CD: Some of the threat vectors there I find are really fascinating as well. When you think about these kinds of … signals intelligence and intercepts, you think about things like Pegasus spyware and other advanced techniques. But I remember a story a little while ago that a pro-Russian threat group DDoSed NATO infrastructure, stole credentials, and then used those credentials to create profiles on queer dating sites just to … make a point, I guess.

Is there anything that these intelligence gatherers and cyber threat actors … Is there anything they won’t stop at?

David Wiseman: I don’t think there’s any limit to what people would do to gather information they felt was critical to their particular mission. And in one sense, that’s another flavour of social engineering attacks, which are well known, and there are different words for it, hundreds of years ago, but it’s the same concept, right?

But I think the challenge is that there’s been so much consumerisation of technology, even within the workspace, even within the military, that people start to forget that they could be susceptible in an adjacent way. And there were stories in the press several years ago about sport activity watches helping people identify military bases in Africa. That is one example.

But I think the key is, with that in mind, it becomes very important to kind of segregate your business communications, your business data, your government information, from your personal data, even if you might be using the same devices. But there are different technologies around cryptographic separation.

You can have zones of information, zones with different layers of protection, and prohibit bleeding of information between those, so, in a lot of cases, getting someone to have a second device isn’t necessarily practical in a lot of cases. But allowing them the capability to segregate the business from the personal can be important, even if their personal app or whatever is bleeding information, the information going to bleed is only other personal information on the device, which might be unfortunate for a particular individual, but it’s better at the national level, for other sensitive communications.

CD: When you’re giving this advice to serving military and politicians to executives … Do you ever get pushback on your recommendations?

David Wiseman: The pushback I get – and this becomes more of an educational discussion with people – but the pushback is, “Hey, we want the maximum security, maximum possible security, but we still want to do everything we want to do on our phones.” So you have to stop for a second and say, “Well, you know, that’s a bit of a fairy tale, right?”

So what I talk to people about is there’s a spectrum of security, and there’s a spectrum of risk, and you need to decide based on your organisation, based on your role. It needs to be decided where particular users are on that spectrum of risk, and then you can apply an appropriate set of security. And if you’re in a very sensitive role with very sensitive information, there’s going to be a lot of policy things that you just have to accept, and that’s well known in the military. You know, if I have classified information, I have to treat it a certain way, whereas, someone else, you can provide them a basic set of protections that aren’t really going to impede their ease of use.

My view on it is the farther you can be towards that side of not putting impedances on people, the more likely they are to adopt and use the capabilities on a day-by-day basis. So I think you actually have to be very cautious about rushing to the maximum side because then what happens is people say, “This is too complicated. Well, I got this other phone over here. I’m just going to go use that.”

So you create friction, and the thing about that is a lot of the core technology is similar, but it’s the policies that you put around those where you kind of crank the knobs up higher.

CD: I guess that’s cyber security 101, in a broader sense – you know, first of all, determine your risk appetite.

David Wiseman: We kind of started off talking about the ANZ region, and we talked about AUKUS and Five Eyes. As you work with other countries, that risk appetite calculus is a little bit more involved, too, because it’s not just your perception of risk, but your partner’s perceptions of risk as well, and what the intersections of those are, and it may be one set when you’re working within Australia, but it might be another set when you’re communicating with the AUKUS partners.

CD: What can you tell me about the nature of what some of these threat actors are doing right now? Like, how are their tactics and strategies evolving in the current environment – both sides are constantly acting, and counter-acting. So what are the bad guys up to?

David Wiseman: From a communications espionage perspective, really three main areas, but inside those areas, the threats keep evolving, as well as the way people go about it.

So the first one that people typically think about the most is interception. Someone’s tapping my phone, they’re tapping my phone lines. They’re listening in to what I do, and that it is definitely a risk. You’ve read about the spy balloons, right? And not only in North America – Japan had this as well, scooping up cellular data and other types of radio frequency information.

It’s pretty well known there are devices, typically used by law enforcement, that you can put in the van, and you can simulate a cell tower and grab all the traffic. And there are public reports in the press, over the past decade of London, Washington, Ottawa, numerous of these devices being found, and they weren’t all … We’ll call it ‘officially provisioned devices’. So that aspect is what people think about, but it’s actually not the biggest risk day-to-day.

The one that people also are aware of – and is probably a big personal risk to people – is identity and identity spoofing. Everyone gets text messages that say, “Hey, I got a new phone. I need your number,” and all that … So that’s kind of one version of it. But with consumer messaging applications, people use WhatsApp or Signal, and there’s no real identity management during registration; so you can actually present yourself as someone you know, and you start communicating with them – you’re pretty sure that’s who it is, but it actually isn’t. And they can even be using a number that you already had.

Those attacks are becoming more and more sophisticated with some of the deepfake things that we see around AI now, where you’re texting, but you’re not quite sure. “Hey, let’s just have a call,” and it sounds like the person, right? Or it looks like the person. And so that identity area, I think, is for most individual people the biggest risk of being compromised. There’s been a lot of reports about senior political leadership around the world where this has happened, where the president of a country thought they were texting with one of their aides and they weren’t.

The third one, which is a big long-term risk, is metadata. And by metadata, we’re talking about like, not the actual content of the communications, but who’s communicating with whom and when. And this is something where there are large programs around the world to basically scoop up all this information and continually analyse it and archive it. And there’s a lot of value to be derived from that. A lot of times, you learn more just from the metadata than if you actually tried to listen to every conversation, because all of a sudden, it’s 2am and all of these connections are connecting to each other. So what’s going on?

You might have heard of some of the pizza stories out of Washington, DC, where – all of a sudden – pizza deliveries to the White House are happening at 2am, and you know something is happening.

And then that third one, if you look at, for example, some of the [AUKUS] Pillar Two things that are being talked about, one of the things that comes into play there is quantum computing, and one of the things around the metadata is there’s this idea of store-and-harvest where you may have your data that’s encrypted, but in the future, it could be decrypted.

Even though those computers probably aren’t around right now, that data is going to be around for a long time. There’s a lot of work around quantum-resistant cryptography for key exchanges and a lot of that has to do with metadata as well.

CD: So my last question, and it’s one I like to ask a lot as the answers are often quite informing … What, right now, worries you most about what you’re seeing out there in terms of cyber security? What keeps you up at night?

David Wiseman: You know, I try to sleep peacefully and everything. But, sometimes, it’s difficult.

I think people have become too accustomed to – this is beyond the specific things I do, though, it’s a part of it – trusting information. And the flip side of that is if you don’t trust any information, and that leads to a lot of the challenges that we see in the world today. And my view on that is you need to have established sources of information, certain communication channels that you know you can trust.

And you need to do that, particularly in government, and in the fact that many governments around the world, including in Australia and New Zealand … they’re just using consumer applications. You’ve seen all of the recent things around Telegram, for example, and that just reinforces that there’s all this garbage information. How can I trust it? Or not?

I think people need to make a conscious decision that one of the key elements to trust is the actual infrastructure that you’re communicating in and the environment that manages that. And it can’t just be some cloud server run by who knows whom, somewhere in the world. And, from a business perspective, that’s the thing that I worry about, that kind of lack of acceptance of that risk and how to address it.

CD: Thanks for your time, David.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.