Ellen Nakashima
Good morning! I’m Ellen Nakashima, a national security reporter at The Post who covers national security and intelligence issues. You can follow me on Bluesky, Mastodon or X.
Below: The U.K. denies a report on nuclear site hacking, and U.S. agencies fall behind on meeting federal cybersecurity requirements. First:
Clandestine online operations now require sign-off by senior officials
Following a controversy over the Pentagon’s use of clandestine information operations, the U.S. military has eliminated dozens of false online personas it created in recent years and has curtailed the use of such operations overseas, according to senior defense officials.
Clandestine online operations now require sign-off by senior Pentagon officials, the CIA and the State Department, according to the officials, who spoke Monday on the condition of anonymity because of the matter’s sensitivity.
The new policy follows a review and pause initiated last year by the undersecretary of defense for policy, Colin Kahl, who stepped down in July. His review, first reported by The Washington Post, was prompted by an outcry following the publication of an August 2022 report by internet researchers Graphika and Stanford Internet Observatory. The researchers revealed takedowns by platforms including Facebook and Twitter — now called X — of more than 150 bogus personas and media sites, and suggested that the accounts might have been created by the U.S. military.
In the wake of the review, “new levels of oversight — to include coordination within the interagency — is now being applied to the department’s MISO activities,” said a Pentagon spokesperson, Lisa Lawrence, referring to military information support operations, the Pentagon’s term for psychological or information operations.
The Post confirmed with U.S. officials last year that many of the accounts examined by the researchers were indeed used by the U.S. military, and in particular U.S. Central Command (Centcom), whose area of operations includes the Middle East, North Africa, and Central and South Asia.
Some of the accounts taken down included a made-up Persian-language media site that shared content reposted from the U.S.-funded Voice of America Farsi and Radio Free Europe. One fake account posted an inflammatory tweet claiming that relatives of deceased Afghan refugees had reported bodies being returned from Iran with missing organs. The tweet linked to a video that was part of an article posted on a U.S.-military affiliated website.
If such accounts are unmasked as being the work of the U.S. government seeking to impersonate grass-roots activists, it could erode — or further erode — the United States’ credibility abroad with target audiences in the developing world, U.S. officials said.
Combatant commands continue to undertake information operations online using identifiable U.S. military accounts. But the practice of deploying sham accounts to attempt to influence overseas audiences has been dramatically reduced, senior Pentagon officials said. “It’s nowhere near the volume it was previously now that there’s oversight and greater scrutiny given to all of them,” said one official.
The operations by Centcom, which had taken place within the past several years, did not gain much traction, according to Graphika and Stanford Internet Observatory. The campaigns involved posts, for instance, that advanced anti-Russia narratives and cited the Kremlin’s “imperialist” war in Ukraine and warning of the conflict’s direct impact on Central Asian countries.
The researchers concluded that the military’s overt accounts actually attracted more followers. Such overt, attributed activity forms the bulk of MISO.
Indeed, said the Pentagon officials, military psychological operations “should not go away but we just need to make sure it’s being done judiciously and lawfully.”
In July, the Defense Department issued an updated information operations strategy, which did not address clandestine activity. In general, it said that “a coherent” information operations strategy “requires a clear understanding of the drivers that shape” audiences’ perceptions and that the intelligence community must “gain a better grasp on the motivations that drive behaviors.” Only once that is done can “informational power … be effectively applied.”
The keys
U.K. denies Guardian report of Sellafield nuclear site hacking
Britain denied reporting from the Guardian that the nation’s Sellafield nuclear site was breached by Russia- and China-linked hackers.
The Dec. 4 report claims that hackers as far back as 2015 have deployed malware on Sellafield’s systems and that some of the site’s most sensitive activities, like moving radioactive waste and monitoring for dangerous material leaks, have been compromised.
The British government denied the reporting in a statement to Reuters. “Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system,” the U.K. said. “This was confirmed to the Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting,” the statement added.
The original Guardian report said that “it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.” The outlet said the claim was corroborated by unnamed sources.
The findings come amid a broader investigation from the outlet about safety and security lapses at the nuclear site, which made plutonium for Britain’s nuclear weapons program during the Cold War.
Sellafield was designated as an entity that failed to consistently meet robust cybersecurity measures, the Guardian adds, citing sources at the Office for Nuclear Regulation (ONR) and the security services.
“Some specific matters are subject to ongoing investigations, so we are unable to comment further at this time,” a spokesperson told the outlet. The Guardian noted that the spokesperson confirmed that Stellafield wasn’t meeting cyber standards.
ONR gave a similar perspective to Reuters, saying it did not see evidence of state-affiliated hackers breaching the site’s systems but that, broadly speaking, it was not meeting cyber standards set by regulators.
“In a statement, Sellafield also declined to comment about its failure to tell regulators, instead focusing on the improvements it says it has made in recent years,” according to the Guardian.
Around half of 23andMe users affected in breach
Around 6.9 million users — number far greater than the scope of accounts initially hacked — were affected in an incident targeting 23andMe users in October, TechCrunch’s Lorenzo Franceschi-Bicchierai reports. A chunk of the data — on 5.5 million users who opted in to a data-sharing feature called DNA Relatives, which lets users share some ancestry data — included “the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location,” Franceschi-Bicchierai writes.
“In disclosing the incident in October, 23andMe said the data breach was caused by customers reusing passwords, which allowed hackers to brute-force the victims’ accounts by using publicly known passwords released in other companies’ data breaches,” Franceschi-Bicchierai writes.
The new figures indicate that about half of the company’s customers were affected in the incident.
Share this articleShare
Besides the 5.5 million users, 23andMe said that another group of around 1.4 million users who opted in to DNA Relatives had family tree information accessed during the breach, Franceschi-Bicchierai reports.
The company is “in the process of providing notification to users impacted by the incident as required by applicable law,” the company said in an SEC filing on Friday. The company required all users to reset their passwords earlier this year, and last month required all users to use multifactor authentication, according to the filing.
In October, a hacker claimed to have stolen and published data from the site, mostly from people of Ashkenazi Jewish ancestry. The hacker offered the data for sale online. The company said in the SEC filing that it was working to remove the data “from the public domain,” and that as of the date of the filing, “the Company believes that the threat actor activity is contained.”
In October, our colleague Joseph Menn notably reported that the data pilfered from 23andMe “could cover more than half of the company’s 14 million customers, based on the number of people who have opted to make their data visible to relatives, including distant cousins.”
Several agencies falling behind in meeting OMB cyber priorities, report finds
A U.S. Government Accountability Office report released Monday says that while several federal agencies have been working to boost their cybersecurity posture, 20 have not fully met requirements for event logging, in which cyber incidents are logged and retained.
“The Office of Management and Budget (OMB) required agencies to reach the advanced (tier 3) level by August 2023. The tier 3 level means that logging requirements at all criticality levels are met,” the GAO report says. But just three of the 23 agencies designated under more stringent OMB management have met that third-tier level, the findings state.
Logging has become a major topic of discussion in cyber circles, following hacks reported in July that were carried out by Chinese cyber operatives and that breached the email accounts of federal officials in the State Department and Commerce Department.
Lack of staff, technical challenges and limitations in cyberthreat information sharing have made it more difficult for agencies to adopt optimal cybersecurity practices, the GAO adds. Agencies were expected to analyze and adopt the third-tier standards by an August deadline.
The nearly 80-page report also details that all 23 of the agencies have begun endpoint detection and response frameworks that seek to detect digital threats across entire networks.
No comments:
Post a Comment