The US military has issued a stark warning to all forces to operate under the assumption that their networks have been compromised by Salt Typhoon, a sophisticated threat actor with ties to the Chinese government. This breach highlights the urgency for organizations to adopt Zero Trust principles as cyber warfare becomes the new battlefield.
• Zero Trust is a framework, not a single product or technology
• The first tenant of Zero Trust is treating networks as already compromised
• Salt Typhoon remained undetected in networks for almost a year
• The threat actor targeted telecommunications, energy, and transportation infrastructure
• Critical national infrastructure remains at high risk from similar focused attacks
• Traditional security approaches focusing solely on perimeter defense are inadequate
• Once compromised, networks may never be fully trusted again
• Verification must occur upon every access request, not just initially
Episode Transcript
Alrighty then, ladies and gentlemen, welcome back to
another episode of Privacy,please.
I'm Cameron Ivey, alongsideGabe Gumbs.
How you doing, gabe, how wedoing.
Speaker 2 (00:09):
I am good, I'm good, we are dead.
In the middle of it.
It's a couple of weeks beforeBlack Hat and DEF CON, gearing
up for that summer festival.
Yeah, hacker Summer Camp,hacker Summer Camp when's that?
(00:34):
Again, that's coming up umaugust, august.
So black, uh, defcon's august7th starts at august 7th, but
there's a bunch of things goingon, right.
So you've got b-sides whichstarts the weekend prior, right,
black hat, which I think, kicksoff on the 5th.
I could be wrong about BlackHat, I don't remember, but DEF
CON starts on the 7th.
Speaker 1 (00:50):
I was pretty excited and I haven't been.
I don't think I've been toBlack Hat one time, but I
haven't been to any of those ina couple years now.
Speaker 2 (01:00):
Yeah, something about not going to the desert in the
middle of summer.
That's okay with me quitefrequently, it's okay.
It's okay.
It's okay to miss one once in awhile, Although it's a great
time.
It's an awesome time.
I'm always good to catch upwith friends and, you know, make
some new ones in the securitycommunity.
(01:20):
It's always some amazing talkson display.
It's always a good time.
No complaints, except for theweather.
The weather be.
The complaint.
120 night is.
We're not built for that ashumans, quite frankly.
Speaker 1 (01:33):
No, that sounds super uncomfortable.
Speaker 2 (01:35):
Yes.
Speaker 1 (01:36):
I was driving the other day I saw this guy on a
scooter with like a blacksweater hood, on jeans, walking
in the middle of the day almost100 degrees.
I'm just like I don't how, why,what are you?
What's?
Speaker 2 (01:50):
happening Across the street.
Man Across the street Soundslike a Luigi's scenario, like I
wouldn't be worried unless I'mthe CEO of a large healthcare
company, is it?
I don't know, we may have justlost a couple of subscribers on
that one.
Speaker 1 (02:03):
No, no, we got this.
So, gabe, I'm going to paint apicture for you and for,
obviously, the audience, on whatwe're going to go into talking
about today.
So imagine you're in charge ofdefending a fortress.
For years, you focused onstrengthening the walls, locking
the gates and watching theperimeter.
Then, one day, a stunning ordercomes down from the top.
Stop worrying about the walls.
Assume the enemy is alreadyinside with you.
(02:26):
It's pretty powerful.
Yeah, there was a stark youpulled me into this about a
stark warning that the issue toall US forces to operate under
the assumption that theirnetworks have been compromised.
Let's dig into this.
Speaker 2 (02:40):
So one of the more interesting things about that
statement, of course, is andwe've talked about it, I think,
on this show more than a fewtimes operating under the
assumption of compromise.
In fact, right before this,right before we hit the record
button, we were talking aboutthe last time I gave a public
talk, and it literally justreminds me the title of that
talk was the bust out the olddeck, and maybe we'll link it to
(03:04):
this episode, but it was aroundthe very notion of how we adopt
the NIS zero trust principles,because the NIS zero trust
principles literally begin withthe assumption of compromise,
and so, in one breath, they'renot saying anything that you
shouldn't be doing or theyshouldn't have already been
doing from an operationalstandpoint, but what they're
(03:25):
actually saying here is no, no,no, no, no.
This is not a drill.
This is not a drill.
Assume that this network isfreaking compromised that's a
big deal.
Speaker 1 (03:37):
And what were your first thoughts, besides just
saying, oh shit, like what, likethis is a big deal.
Speaker 2 (03:43):
You can't shut the barn doors is the first thing
that came to mind.
Like I do not know if you canuncompromise a network.
The thing with the assumptionof compromise is you should
assume that you also can'tuncompromise the network.
So in one breath it willcertainly accelerate the
adoption of zero trust withincritical infrastructure.
So that's a positive.
(04:04):
But the thing that worries methere, of course, is well, the
networks should just beconsidered actually compromised.
Speaker 1 (04:12):
Right, okay, so real quickly.
Most of our listeners shouldprobably know this, but let's
just play the fun role of Gabe.
What is zero trust and why isit the recommended solution that
it's going to fall into?
Speaker 2 (04:25):
It's a framework.
So, first and foremost, it isnot something that is purely
tangible.
It is not any one singularproduct.
So if anyone told you they havea zero trust that you can buy,
be wary.
We warned you, we warned you,we warned you.
It is a framework under whichone of the first, not one of,
(04:46):
but the first tenant of zerotrust is that network should be
treated as though they alreadycompromised.
And when you do so, it meansthat you need to do things like
validate access upon everyrequest.
So not just grant access andthen allow access to always be
given upon every request for anasset, revalidate access.
(05:07):
That's just one of the manythings that zero trust
encompasses.
It is a NIST framework, it ispublished by NIST I don't
remember the number,unfortunately.
I guess I'm not that big of azero trust geek.
Speaker 1 (05:18):
Hey that's all right, that's all right, you don't
know everything.
Speaker 2 (05:21):
I could probably quickly look it up but it is a
framework, and so a lot ofvendors selling different
security solutions will kind ofoperate under this banner that
their technology will assist youin doing so.
That is a good thing.
Quite frankly, it's difficultto achieve zero trust without
(05:42):
some help in some of thoseenvironments.
But again, the warning be thereis no silver bullet for zero
trust.
And it is not just technology,it is also protocols and
procedures.
Right, there's quite a bit moreto it.
Speaker 1 (05:58):
Can you humor me a little bit on this?
The sophistication and patienceof Salt Typhoon.
What exactly is that?
Speaker 2 (06:05):
Salt Typhoon is a threat actor believed to be tied
to the Chinese government.
That is, the threat actorbelieved responsible behind this
breach of the network.
Speaker 1 (06:18):
Well, they're a well-sourced cyber espionage
group with links to the Chinesestate.
Yeah, their ability to remainin a network for almost a year
without detection points to ahigh level of sophistication and
patience.
Speaker 2 (06:31):
Hence the reason I don't know that one can ever
trust that network ever again.
A year is a long time to buryyourself in.
Speaker 1 (06:40):
Yeah, I mean.
Obviously the biggest worry istheir focus on stealing data
that can be used for future,potentially more damaging
attacks on critical nationalinfrastructure.
Yeah, yeah, it's not good.
Speaker 2 (06:54):
No, it's not good.
It's not good, it's not good atall Not good.
Speaker 1 (06:57):
So what's being done?
What do you know that's beingdone so far?
What do you think the thiswarning?
Speaker 2 (07:02):
being issued.
I don't know of anything beingdone.
Well, like, who would handlethis?
Do you think the this warningbeing issued?
I don't know of anything beingthat well, like, who, like, who
would handle this, you think?
Like?
That's also a great question,you know.
I'm honestly not certain I knowthe answer to that, but we've
got some foods in theintelligence community.
We should probably snag on theshow to talk about that.
Um, I don't know who picks upthe ball from there.
Really, I could I could throwout all kinds of wild guesses,
but they, they might just bethat are wild guesses.
(07:23):
Yeah, I don't actually know.
I know this much, though, thatwe should all certainly heed
that warning and operate underthe same tenets though, yeah,
which I guess is just along-winded way of saying hello,
everybody, wake up Please.
If you haven't already startedadopting zero trust, do so.
Do so now.
Everyone should adopt?
Speaker 1 (07:46):
Yeah, because to that point there's broader
implications that go beyondnational security and privacy.
So beyond military networks,salt typhoon.
Also targeted telecommunicationyeah, just like at&t, verizon
all compromised record likebasically been accused of at&t
and verizon was accused ofrecording private conversations
(08:07):
of senior US political figures.
There you go they.
Targeted criticalinfrastructure like energy and
transportation highlights thepotential of widespread, so
probably stuff like Uber, Iwould imagine.
Speaker 2 (08:21):
Yeah.
Speaker 1 (08:23):
And Lyft and all those type of.
There's so much information onthat, so this is really big and
it's it's saying that this isalso a pattern, gabe, this is
not just a one off of that.
Speaker 2 (08:45):
No, not at all, and it will continue to be.
Speaker 1 (08:46):
You know, cyber warfare is the new warfare.
Yes, conventional warfare stillexists, but it is the new war,
yeah.
So yeah, this is superinteresting, but maybe we'll dig
into this a little bit later.
If anybody has any questions orknows more about this stuff,
we'd love to have you on or justshoot us a message.
But yeah, we'll see you guysnext week.
Gabe, thanks for the chat Righton, right on Next week.
It is Sounds good.
See you guys.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!