CyberWire Daily - Election security on the eve of the US midterms. US FBI rates the hacktivist threat. Microsoft says China uses disclosure laws to develop zero-days. Remember SIlk Road? The Feds do.
Episode Date: November 7, 2022Election security on the eve of the US midterms. US FBI rates hacktivist contributions to Russia's war as unimportant. Microsoft accuses China of using vulnerability disclosure to develop zero-days. A...ndrea Little Limbago from Interos addresses accountability for breaches. Our guest is Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative. And, finally, remember SIlk Road? The Feds do. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/214 Selected reading. Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI) The government says it won’t flag election disinformation on Twitter and other social platforms (Washington Post) What to Expect When You are Expecting an Election (CISA) Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI) Nation-state cyberattacks become more brazen as authoritarian leaders ramp up aggression (Microsoft On the Issues) U.S. Attorney Announces Historic $3.36 Billion Cryptocurrency Seizure And Conviction In Connection With Silk Road Dark Web Fraud (U.S. Attorney’s Office for the Southern District of New York) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. eve of the U.S. midterms. The U.S. FBI rates hacktivist contributions to Russia's war as
unimportant. Microsoft accuses China of using vulnerability disclosure to develop zero days.
Andrea Little-Limbago from Interos addresses accountability for breaches. Our guest is
Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative.
And finally, remember Silk Road?
I assure you, the feds do.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Monday, November 7th, 2022.
The U.S. midterm elections will conclude on Election Day tomorrow,
though in most jurisdictions they've been underway in the form of mail-in ballots and
other forms of early voting for weeks. In general, the U.S. federal authorities involved in helping
states secure the vote have been optimistic about the prospects for a vote unaffected by
cyberattacks proper. There has been a recent surge in Russian disinformation deployed against U.S. voters, the New York Times reports,
with the Internet research agency's trolls and bots resurfacing again, as they have for the last
several election cycles. How successful the influence campaign will be is unclear, although
widespread awareness that it's in progress will no doubt blunt such effect as it may have.
The present campaign differs from earlier Russian efforts in the extent to which it seeks to
convince, as opposed to simply confuse its audience. The positive line being pushed from
St. Petersburg, positive from the Kremlin's point of view, is that U.S. support for Ukraine is a wasteful expenditure and a losing
and unworthy cause. Whether that story will turn out to have legs is unknown, but at this point it
seems unlikely. The Washington Post says that CISA is taking a hands-off approach to specific
disinformation. The agency will not, for example, flag specific false claims in social media.
U.S. officials have recently expressed confidence that direct cyberattacks against election infrastructure are unlikely to have much, if any, effect.
And by that, they think of such things as locking up voting machines, directly manipulating vote counts, or interfering with reporting and tallying,
those sorts of capers. CISA's Friday communication about election security focused instead on the
threat of dis- and misinformation. In particular, it urged voters to remember that early counts are
not official and that isolated local problems and accidents shouldn't be interpreted as evidence
of systemic corruption or unreliability. So what about DDoS attacks on election systems?
Are these likely to disrupt the elections? Probably not, as much as various hacktivist
groups might try. On Friday, the FBI offered an assessment of nominally hacktivist groups serving as Russian auxiliaries in the war against Ukraine.
Groups like Killnet are having a minor effect at best, the bureau says.
Their DDoS attacks have not generally risen above a nuisance level.
They've been unsophisticated and haven't really achieved crippling effects on their targets.
The bureau's description of hacktivism and how it works is
worth quoting. The advisory says, the FBI defines hacktivism as a collective of cyber criminals
who conduct cyber activities to advance an ideological, social, or political cause.
Historically, hacktivist collectives conducted and advocated for cybercrime activity following high-profile
political, socioeconomic, or world events. Coinciding with the Russian invasion of Ukraine,
the FBI is aware of pro-Russian hacktivist groups employing DDoS attacks to target critical
infrastructure companies with limited success. Hacktivists provide tools and guidance on cyber attack methodology and techniques
to anyone willing to conduct an attack on behalf of their cause. DDoS attacks of public-facing
websites, along with web page and social media profile defacement, are a preferred tactic for
many operations. These attacks are generally opportunistic in nature and, with DDoS mitigation
steps, have minimal operational impact on victims. However, hacktivists will often publicize and
exaggerate the severity of the attacks on social media. As a result, the psychological impact of
DDoS attacks is often greater than the disruption of service. So, the effects of DDoS may well be
more in our head than anywhere else. The value of a zero-day exploit drops quickly. Once it's used,
it's blown. And once the vulnerability it takes advantage of is patched and disclosed,
then it works only as long as there are unpatched systems out in the wild for the zero-day to exploit.
Microsoft reported Friday that China's government seems to be using its vulnerability disclosure law
to gain access to vulnerabilities before they're generally announced.
This enables Chinese intelligence services to develop and deploy zero-day exploits
during a narrow window of opportunity, Microsoft suggests.
Beijing's interests remain focused on espionage and intellectual property theft,
and if Microsoft has it right, they're picking up the tempo of their exploit development process.
In full disclosure, we note that Microsoft is a CyberWire partner.
And finally, it was a case long in the making,
but now it's over. James Zhang, whose house was raided last November, on Friday took a guilty
plea to U.S. federal charges of committing wire fraud in September 2012 when he unlawfully
obtained over 50,000 Bitcoin from the Silk Road dark web internet marketplace.
On November 9th, 2021, IRS agents recovered more than 50,000 Bitcoin from Mr. Zhang's
Gainesville, Florida house for a raid on a virtual currency stash. The raid picked up a lot of
physical stuff. The Justice Department says they found the proceeds in an underground floor safe and on a single board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet. So you're no doubt asking, wasn't Silk Road a contraband market law enforcement took down years ago? It was, and its proprietor, Mr. Ross Ulbricht, also known as
the Dread Pirate Roberts, was convicted of various crimes in connection with Silk Road back in 2015.
Mr. Zhang was thus engaged in some criminal-on-criminal crime. The amount of wire fraud
he pled to carries a maximum sentence of 20 years. How long a sabbatical
Mr. Zhang will actually receive in a U.S. federal correctional institution will be decided when he's
sentenced in February. After the break, Andrea Little-Limbago from Interos addresses accountability for breaches.
Our guest is Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Partnership for Public Service is a non-profit, non-partisan organization whose mission is to build a better government and stronger democracy.
Part of how they pursue that mission is by inspiring folks to serve in government.
They recently launched the Cybersecurity Talent Initiative, a public-private partnership aimed at recruiting and training a world-class cybersecurity workforce.
aimed at recruiting and training a world-class cybersecurity workforce.
Michelle Amante is vice president of federal workforce programs at the Partnership for Public Service.
So our mission today is better government, stronger democracy.
So how do we make the government more effective for the American people?
We do that in a lot of different ways.
We help federal leaders.
We support research.
We recognize
really important federal public servants. There are service to American metals.
And then my team works on talent. And how do we think about getting more talent,
diverse talent, young talent, specialized talent into the federal workforce?
Well, let's talk about the Cybersecurity Talent Initiative. How did this get started?
Yes. So we launched our first cohort in the summer of 2020. And it all started actually
with MasterCard, which is our founding partner. And they came to us and they said, look, we want
to help solve this problem with you. At the time, there was over a 500,000 gap in cybersecurity jobs. And I believe
that number is now over 600,000 gap of jobs, both in the public and the private sector. And he said,
we want to help solve this problem. You work in the federal space. We also need talent. What can
we do together? So we co-designed this program, which will bring recent graduates,
both undergrad and graduate students, into federal positions for two years. And they serve in these
federal positions in cybersecurity roles for two years, and then they have the option to either
stay in government or go work for one of our private sector sponsors. And so in this way,
of our private sector sponsors.
And so in this way,
our sponsors who are amazing,
and I want to give a shout out to them now,
Microsoft, MasterCard, Accenture,
CyberVista, and Workday are able to really not only
get great talent for themselves,
but really help contribute
to this larger problem
that we're all facing
in terms of getting just more talent in the
cybersecurity space and helping our country. Well, help me understand for the folks who are
going to go through this program, what's the advantage there for them?
So what we do is we bring them in. And once again, it's a two-year fellowship with a federal agency
where they, one, don't have to go through the normal hiring process. So we work a lot with students and we know that this is a huge barrier going to USA
Jobs and trying to navigate that process. So they apply through the partnerships website
and we have open placements with federal agencies and we help facilitate that process.
So that's step one. We make it a lot easier for them. The second thing we offer is throughout the two-year fellowship,
we offer technical training through our partner, CyberVista.
And throughout the two years,
we also offer professional development and leadership training,
which is something really unique to our program.
We also offer mentoring with both federal partners
and partners in the private sector
so they have someone that they can lean on,
talk to about the space,
think about their professional goals.
And then the third benefit to the program is that if they take a job with one of our private sector sponsors,
they are eligible for student loan reimbursement, which is a huge advantage.
Yeah, I mean, that's really interesting.
And we hear so often that folks are having trouble finding those entry-level jobs,
that particularly out in industry in the cyber world,
an entry-level job means that you had 10 years of experience.
And it strikes me that this is a nice balance between those two things.
You can come in and get some experience under your belt.
And after that two years,
you have options. Yes, I absolutely agree. And we see that in the federal space too.
Very few agencies are building the pipeline. So if everyone is going after that mid-career talent,
there is no talent coming up through the ranks. So this is a great way to do it,
where the participants are very supported and encouraged to continue in this field and are given a lot of options after they finish the program.
So who is your ideal candidate here? Who are you hoping to attract?
So the student, graduate or undergraduate, as I said, they don't even have to have a specific
focus in cyber. So we're looking for students who have a focus in computer science, information systems,
or even if it's mathematics or with a minor in computer science.
So something obviously with a background that's going to set them up for success as they take
the job.
Also public service oriented, right?
We are people who work in the federal space are called to serve and they go for the mission.
And so do they have some sort of call to serve?
And so that is reflected in the essays. We try to make the application process very easy and
smooth, but we do have some essays and we want to hear from these prospective fellows about why
they want to work in the federal government. What is their specific call to serve? We're really
hoping that more corporate partners will join us in this mission
and in this goal to help close the gap and help serve our country. And so you can find information,
whether you're a student or a corporate sponsor, on the webpage.
That webpage is gogovernment.org. Michelle Amante is Vice President of Federal Workforce Programs
at the Partnership for Public Service.
And joining me once again is Andrea Little-Limbago.
She is Senior Vice President for Research and Analysis at Interos. Andrea, it's always great to welcome you back.
You know, we've had several stories in the news lately where we have CISOs who are being called on the carpet for breaches that have taken place. Indeed, you know, we saw Mudge, who was a whistleblower with the situation at Twitter.
I want to touch base with you on accountability
and ultimately, where does the buck stop
when it comes to accountability in these breaches?
Yeah, and that's the question of the day right now
that I think a lot in the security community are debating.
Because there isn't a clear identified role
that actually at the end of the day is the one responsible. In theory, many would argue the CEO is the one who's responsible
for the entire organization. And yet, we're seeing the chief security officer of Uber on trial right
now for a response to a data breach. And that, coupled with what we're seeing with Twitter and
with Mudge's discussion, is really the focus on who's going to be liable.
So at the end of the day, the chief security officer, chief information security officer, they're the ones responsible for the security within a company.
And that's the argument is that they should be the ones held responsible.
But what we increasingly hear, and I think a lot of us in the community know, they may not be resourced to do what is needed.
lot of us in the community know, they may not be resourced to do what is needed. And so there is a,
and even if they are, are they the ones that actually are the ones who are, that are legally obligated to report a breach? Very often within a company, they aren't the ones that actually would
be, you know, perhaps reaching out to the FTC if there is a breach. And you augment that with a
really big patchwork of data breach notification laws in the U.S. There are about 54.
If you think of it, every state has their own data breach notification law,
plus D.C., Guam, Puerto Rico, Virgin Islands.
So you basically have this patchwork of data notification laws
that each one has a little bit of a different nuance to it.
And so it becomes extraordinarily difficult,
both from a policy angle and then organizationally within a company, to know really where that buck stops.
But really, I think it's unsettling for many to see chief security officers brought to trial, given the widening aperture of what chief security officers are charged with for responsibilities, and then coupled with do they have the resources or not.
responsibilities, and then coupled with, do they have the resources or not?
And so it really, it's one of those discussions, I think, that's going to be ongoing for quite some time and is already adding to a very complex role that we're seeing.
You know, just last week, I was speaking with someone who's a CISO, and she was saying that
in many organizations, it's her experience that chief security officers, chief information
security officers, they're really C-suite members in name only.
That, you know, they're burdened
with a lot of the responsibilities,
but aren't actually elevated to the level
that many of the other C-suite folks are.
Right. And that's, you know,
I think in Mudge's testimony,
you highlighted that.
No matter how many times you can bring some of the problems
to more of the executives that are on the business side, it either gets ignored or none of the resources are put
there or the authority to actually solve, say, lackadaisical security. The resources just aren't
even there or prioritized. And so the chief security officer can only do so much as far as
highlighting these different challenges, but they don't have the buy-in
from the CEO, from your chief legal officer, from the board of advisors. It becomes extraordinarily
difficult for them to implement, yet they're the ones who increasingly become the face of the breach
when a breach happens. And as we've seen, there are very few companies that you could point to
that have not had a publicly, public profile breach.
And if they haven't had a public profile, they probably have just done a good job keeping it out of the media.
This is really the reality these days.
I can't help wonder if this is part of the reason why we see such high turnover with CISOs.
I mean, you know, it's a tough job, and I can see why it's not something you'd want to stay with for so long.
Right, and at least by some of the studies that are out there,
it's about an 18-month average tenure for someone in that position,
which is extraordinarily short when you compare it to the other C-suite jobs.
But yeah, I mean, it's increasingly hard.
There's a lot both on the line as far as it's such an important role
for keeping a company's data protected
and the people protected.
But if the resources aren't there,
that becomes problematic.
If the support across the board is not there,
that becomes very hard.
And then even from there,
you're seeing just a broader role as well
for the CISOs to take on other kinds of risks
across the company as well.
And the supply chain risk is one that is increasingly one that's starting to fall under their umbrella as well. So it's
a role that has a ton of responsibility, but not necessarily always the authority to do what's
needed to be done. Are we seeing any movement here? I mean, are the folks signing up for these
positions saying, look, I'll do this, but here are my terms? I think increasingly, and that's where I think it'll be interesting to see how the market shifts.
On the one hand, I think there's increasing requests for various kinds of insurance and legal fee coverage,
in case that comes to that.
And so we need to keep an eye on what happens on the insurance front.
And then conversely, with the policy side, really helping get at this liability issue.
Because not only does it encourage companies to not actually share information about a breach, which then can help inform everyone else that might also be a target.
So it limits everyone else's security.
But it impacts how companies are going to attract talent to take on these kind of responsibilities.
how companies are going to attract talent to take on these kind of responsibilities.
And so if we had actually some more federal guidance
implemented across the board in the data breach area,
especially addressing the aspect of liability,
I think that could go a long way to helping
less than a tiny bit some of the burnout
that's happening within chief security officers.
Right, right.
All right, well, Andrea Little-Limbago, thanks for joining us.
All right.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Thank you. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Off.
I join Jason and Brian on their show for a lively discussion of the latest security news every week. Thank you. of Data Tribe, where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Guru Prakash,
Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Maria Vermatsis, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Catherine Murphy, Janine Daly,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter
Kilpie, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.