27 June 2022

Cybersecurity’s bad and it’s getting worse

Joseph Marks

Thank you!: To editors who guided me; researchers who wrote far more of this newsletter than most people realize and frequently caught my errors before they got into print; fellow reporters at The Post and elsewhere; sources without whom this newsletter would not have been possible, especially those who spent hours patiently explaining complex issues to me (you know who you are); and to readers who always gave me great feedback and made the newsletter better.

As for me: I’ll be heading to Johannesburg, where my wife will be doing her first tour as a U.S. Foreign Service officer. I’ll be doing some freelance reporting, so send any South Africa stories and tips my way. Please stay in touch. You’ll still be able to find me on Twitter. Other contact info is in my bio there.

It's hard to overstate how much cybersecurity has surged as a top concern

There are few analogues in history for how cybersecurity has surged in importance as a government policy issue during the past eight years.

It’s gone from a relatively back-burner issue embraced by a handful of government officials and lawmakers to a top national security concern — one that prompts partisan squabbles in Congress and heated confrontations between U.S. and Russian presidents.

And that’s probably just the beginning. Things will definitely get wilder from here.

This is my last Cybersecurity 202 after three-and-a-half years authoring this newsletter and eight years as a journalist on the cyber beat.

Eight years is a long time on any beat. It’s several lifetimes on this one.

Here are three big themes that have preoccupied my reporting the past eight years.

Bigger, bigger, BIGGER

Cybersecurity wasn’t unimportant when I started on this beat in April 2014. But it was a shadowy topic, more fretted about than understood. When cyber news stories broke through to mainstream audiences, they were usually about credit and debit card breaches that had limited real impact on consumers except the few who suffered identity theft.

The big story at the time was a mammoth credit card breach at Target that had forced the big box retailer’s CEO to resign — a cataclysmic event for industry then that’s largely a footnote now.

Things changed quickly.

Within a few months, there began a series of major events that would redefine the role of cyberthreats and cybersecurity in the national conversation.

The year 2014 alone included the first U.S. indictments against Chinese government-backed hackers and the Pyongyang-backed hack of Sony Pictures Entertainment after North Korean leader Kim Jong Un objected to one of the studio’s movies. Within weeks of the Sony attack, during the first days of 2015, the Obama administration imposed the first-ever sanctions for a cyberattack on North Korea.

Then came the FBI’s push to mandate government back doors in encryption systems, Russian hackers’ efforts to interfere in the 2016 elections, a series of devastating criminal ransomware attacks against U.S. critical industries, and on and on and on.

With each passing year, cyber insecurity became a more fundamental and important aspect of U.S. policy, politics and daily life — similar to how connected technology itself had become increasingly pervasive a decade or two earlier.

By 2022, the prefix “cyber” has begun to seem anachronistic because digital conflict and crime is more the standard than the outlier.

Criminal ransomware gangs, for example, draw far more attention these days than conventional organized crime. And even the mafia is getting into hacking to support traditional criminal pursuits such as drug trafficking and extortion.

The cyber component of Russia’s Ukraine invasion has been more limited than some experts predicted. But it still underscores that cyber operations are sure to be a component of every future military conflict.

Lots of big talk, little real change

U.S. cyber protections have, by and large, not remotely kept pace with the threat.

The vast majority of companies are still compromised by hackers because of simple and preventable lapses, such as using shoddy passwords, not updating commercial software and employees getting conned by phishing scams that they should be wise to.

Why?

There are a lot of possible explanations, including corporate apathy and a structural advantage held by hackers.

One big explanation, though, is that government and other large institutions haven’t done the necessary work to change companies’ incentives to make cyberattacks less common. That’s unlikely to change soon.

The years-long wave of increasingly brutal and consequential cyberattacks has not been accompanied by big legislative changes.

It was only this year that Congress mandated that some companies report to the government when they’re hacked. The law only applies to firms in critical industry sectors such as finance, energy and health care, and it may not go into effect until 2024.

That’s a big improvement but an exceedingly minor requirement considering the roughly $1 trillion that McAfee estimates is lost to cybercrime each year.

Federal agencies have mildly ramped-up cyber requirements in a handful of critical industry sectors, including pipelines and rail transport but to decidedly mixed reviews from the regulated companies.

White House officials say they’re unable to move harder on regulation without specific authorization from Congress.

Many hoped that cyber insurance policies would force companies to adopt better practices to maintain coverage.

What’s mostly happened instead is that insurers have competed for customers by making compliance less onerous. They’ve often failed to verify that companies are following the requirements they do put in place.

Which brings us to the third big theme …

Things will get worse before they get better

This is about as easy as predictions get given the course of the past eight years. Everything got worse — often in unexpected ways.

The cyber future is especially treacherous because of a number of powerful new technologies that will integrate the internet ever more deeply into the fabric of daily life — including 5G wireless networks, artificial intelligence and connected technologies such as smart thermostats.

That will give hackers significantly more power to cause damage.

Then there are the unknown threats. Given the pace of technology development, it’s likely the nation will be hit within the decade by forms of cyberattacks that are hardly conceivable today.

The topic reminds me of an interview I conducted with a former contractor for the Defense Advanced Research Projects Agency (DARPA) who wrote a report about looming cyberthreats in the year 2000. The report was released publicly for the first time in 2018 as part of a broad public information request by George Washington University’s National Security Archive of emails and documents shared with former Defense secretary Donald Rumsfeld.

The report presciently noted how early the nation was in cyberwarfare developments — comparing it to the state of air warfare in the years before World War I.

More than 20 years later, those unknowns are even bigger because — largely because the internet touches not just warfare but nearly every facet of modern life from business and commerce to entertainment and romance. It’s unlikely we’re anywhere near a stable point in cyber development where we can speak with confidence about the future.

But I’m curious to see what happens.

The keys

Senate committee advances measure to make it easier for U.S. spy agencies to hire people who have used marijuana

The bill the provision is included in still has to be approved by Congress. (Samuel Corum/Bloomberg News)

If the bill passes, it could help the U.S. intelligence community recruit young professionals like hackers who have long been turned away over past marijuana use, the Wall Street Journal’s Dustin Volz reports. The provision was unanimously approved by the Senate Intelligence Committee in a must-pass intelligence authorization bill, but the legislation could still be changed.

The “common-sense provision … will ensure the intelligence community can continue to recruit the most capable people possible,” Sen. Ron Wyden (D-Ore.), the sponsor of the measure, tweeted.

How times change: The move marks a substantial shift from 2014 when then-FBI director James B. Comey apologized to senators after saying that restrictions on past marijuana use were hampering the FBI’s cyber hiring. Comey — who noted that “some of those kids want to smoke weed on the way to the interview” — later said he was joking.

Here’s more from Blake Sobczak, the editor in chief of README:

If this advances, it'd be a big deal for national security agencies' ability to recruit #cybersecurity talent. Many otherwise qualified security specialists have <gasp!> smoked pot, which is legal in the tech hub of California and in 18 other states + D.C. https://t.co/C6lZF4tiaT— Blake Sobczak (@BlakeSobczak) June 23, 2022

A new bipartisan bill aims to block high-risk countries from acquiring sensitive U.S. data

The bill is co-sponsored by Sen. Ron Wyden (D-Ore.) and four Senate colleagues. (Drew Angerer/Getty Images)

The bill would dramatically limit when sensitive U.S. data can be housed in countries considered by the U.S. government to be a high risk, Reuters’s Alexandra Alper and David Shepardson report. China appears to be a main target of the legislation, they report.

Details: The bill would direct the Commerce Department to identify personal data that could harm U.S. national security if it’s exported. “If approved, the bill would also direct the Commerce Department to require licenses for bulk exports of the identified categories of personal data to other countries, and deny exports to high-risk countries,” Alper and Shepardson write.

The bill is co-sponsored by Senate Finance Committee Chairman Ron Wyden (D-Ore.); Sen. Marco Rubio (R-Fla.), the top Republican on the Senate Intelligence Committee; and Sens. Cynthia M. Lummis (R-Wyo.), Sheldon Whitehouse (D-R.I.) and Bill Hagerty (R-Tenn.).

Italian spyware targeted people in Italy and Kazakhstan, Google says

Milan-based RCS Lab’s spyware targeted people using both iPhones and Android devices, Reuters’s Zeba Siddiqui reports. It’s not clear which RCS client used the spyware or who they were targeting. But the company's clients include law enforcement agencies in Europe according to its website.

Google’s Threat Analysis Group identified RCS Lab as the vendor behind the spyware. Cybersecurity firm Lookout last week said RCS probably developed the software.
Some of the spyware was apparently deployed after working with internet service providers to turn off mobile data of the target’s phone to lure the victims into installing an app to restore data, Google said.

The reports come amid widespread concern about spyware. The Biden administration has blacklisted Israeli spyware firm NSO Group, which came under scrutiny after reports that its Pegasus spyware was used to target journalists, activists and executives.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” Google said.

Google is raising the alarm about spyware. It’s tracking more than 30 spyware vendors with different capabilities and levels of public awareness, Google said.

“The commercial spyware industry is thriving and growing at a significant rate,” it said. “This trend should be concerning to all internet users.”

No comments: