Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! Allied troops stormed the beaches at Normandy 78 years ago today. There are probably more movies about World War II than any other event. “The Best Years of Our Lives” about returning veterans is among the best.
Below: A long-awaited privacy proposal’s prospects are uncertain, and Trump allies suggested having armed private contractors seize voting machines after the 2020 election.
Our network of cyber experts have a less-than-rosy take on the United States’ ability to fend off cyber attacks.
Most of them said the U.S. is either just as vulnerable to cyberattacks or even more vulnerable today than it was five years ago.
That assessment, from a group of experts polled by The Cybersecurity 202, reflects a half-decade during which government and industry have supercharged their efforts to defend against devastating hacks from foreign governments and criminals — but the bad guys have upped their game even more, most experts say.
‘[We’re] less vulnerable against the threats of five years ago. But I see no evidence that the threat has stood still, and in fact, it is likely that it has grown at a faster rate than our defenses,” said Herb Lin, senior research scholar for cyber policy and security at Stanford University
“We become evermore vulnerable with each passing day,” warned Lauren Zabierek, executive director of the Cyber Project at the Harvard Kennedy School’s Belfer Center. “I don’t know where the bottom is.”
The sobering results come as cyber executives and analysts are convening in San Francisco for the RSA Conference, the largest annual industry-focused cybersecurity gathering, which is being held in person for the first time since the start of the coronavirus pandemic.
The cyber industry has fared extremely well during the past half-decade — nearly doubling in value, according to some estimates — but it has also struggled to keep up with the dizzying pace of attacks.
One key problem, according to experts who said the United States is more vulnerable now: The nation has become more reliant on technology during the past five years — significantly increasing the targets that hackers can aim at. And that technology is often being built without security foremost in mind.
“Cybersecurity is improving constantly, but the complexity of our digital society may be outpacing our efforts to keep up,” Mandiant Threat Intelligence chief John Hultquist said
Cyber and tech investor Niloofar Razi Howe: “We are more vulnerable because of the dizzying pace we are adopting technology, engaging in tech transformation, and adding devices without prioritizing security.”
One particularly rich target has been a vast new array of Internet-connected devices, such as refrigerators, thermostats and cameras. These devices, commonly called the “Internet of things” or “IoT” are notorious for relying on weak or default passwords and being difficult to update with software patches — making them easy pickings for hackers.
“Many of these technologies have shortchanged their cybersecurity expenditures, creating ever-increasing liabilities for everyone,” said Sascha Meinrath, founding director of X-Lab, a think tank at Penn State focusing on the intersection of technologies and public policy.
“As the cyber-strategist Biggie Smalls would have said, ‘More IoT, More Problems,’ ” quipped Peter Singer, a fellow at the New America think tank. (Singer said the United States is equally vulnerable compared to five years ago).
Many experts blamed the United States’ ongoing vulnerability to hacking on the increased brazenness of U.S. adversaries, especially Russia.
That sentiment was shared by several experts who said the United States is equally vulnerable compared to five years ago. They described a cat-and-mouse game in which U.S. companies are constantly improving defenses but never really getting ahead.
Many experts who picked the equally vulnerable response said it’s simply impossible to determine whether the United States is more or less vulnerable to hacking now — either because the answer varies so much from industry to industry or because there’s not good enough data to make the call.
“It’s better in some sectors and worse [in] others, but as a country, the net/net is that we’re still in a comparable — and fairly awful — position,” said Jeremy Grant, managing director at the law firm Venable.
For those who said the United States is less vulnerable to hacking now, many based that assessment on the rising public awareness of cyberthreats — especially after ransomware attacks that have threatened the economy and national security in recent years.
“Awareness about the threat has improved dramatically,” said Michael Daniel, a former White House cyber coordinator who now leads the Cyber Threat Alliance.
“Thanks to high profile ransomware attacks awareness is greater than ever at the board and governmental level, and I believe if you are aware of risks, you are more likely to protect against them,” said Jeff Moss, founder and CEO of DEF CON Communications.
More vulnerable:
Just as vulnerable:
Less vulnerable:
The bipartisan proposal would require companies to limit their data collection, and would also let users sue companies that improperly sell their data and opt out of targeted ads, Jacob Bogage and Cristiano Lima report. But the bill faces an uphill climb to become law, with critics saying it doesn’t do enough to protect consumers.
Senate Commerce Committee Chair Maria Cantwell (D-Wash.) hasn’t endorsed the bill, and it could stall without her support. Cantwell told The Post that “any robust and comprehensive privacy law must protect consumers’ personal data with a clear requirement that companies are accountable for the use of that data and must act in consumers’ best interests.”
Sen. Brian Schatz (D-Hawaii) told lawmakers that the effort was “falling short” in delivering for consumers. He urged them to “refuse to settle for a privacy framework that will only result in more policies to read, more cookies to consent to and no real change for consumers.”
The plan was sent by British entrepreneur Andrew Whitney to Cyber Ninjas chief executive Doug Logan and Jim Penrose, whose LinkedIn page says he previously worked at the National Security Agency, the Los Angeles Times’s Sarah D. Wire reports. Cyber Ninjas was later responsible for a shoddy, partisan election audit in Arizona that didn’t find evidence of significant fraud and ended up confirming President Biden’s victory in the state.
Experts criticized the draft’s legal arguments. “A private sector organization has no authority to go and seize state government equipment,” former CISA director Chris Krebs told the Los Angeles Times. “The federal government doesn’t even have that authority, particularly in the context of administering elections. And we are looking at a document that says that’s OK.”
Penrose and Whitney didn’t respond to the Times’s request for comment. Logan declined to participate in an interview with the outlet.
CISA has publicly released a long-awaited advisory urging states to fix vulnerabilities in Dominion voting machines. The agency has “no evidence that these vulnerabilities have been exploited in any elections,” it said. In the days before the advisory was released, experts argued about the vulnerabilities and their implications. Election Assistance Commissioner Donald Palmer and Free Speech For People’s Susan Greenhalgh:
CISA makes no such findings – they rejected outright most of his report. Ballot marking devices are used throughout the country; tested to approved voting standards in accredited EAC federal labs. No significant findings or vulnerabilities in this forthcoming advisory. https://t.co/0FV3O1dWK2
So it’s not the voting systems, it’s the election officials fault?
Election officials don’t gaslight voters, exaggerating the threat or confusing the American people with their own agenda. When we see an issue or deficiency, we work to resolve it or improve it. https://t.co/aMrkw8k723
I have read Halderman’s report bcz I’m w/in the seal. And I’ve read @katebrumback s story which confirms cisa affirmed Halderman’s findings. You’re plainly mischaracterizing this, as EAC & other officials have done to dismiss legitimate security concerns, & that has eroded trust https://t.co/6o6qTmWKD3
Russian ministry website appears hacked; RIA reports users data protected (Reuters)
Tehran municipality websites hit by possible hacking, Iranian agency says (Reuters)
One arrest made as PSNI joins forces with FBI for cybercrime investigation (Belfast Telegraph)
In Races to Run Elections, Candidates Are Backed by Key 2020 Deniers (New York Times)
Texts reveal GOP mission to breach voting machine in Georgia (The Daily Beast)
Crypto scams are on the rise, draining more than $1 billion in last year (By Tory Newmyer)
Cryptocurrencies were once seen as an unmitigated boon for criminals. Not anymore. (NBC News)
Yuga Labs confirms Discord server hack; 200 ETH worth of NFTs stolen (CoinDesk)
The hacker gold rush that’s poised to eclipse ransomware (WIRED)
how to walk your dog after a tropical storm
(rayfrank IG) pic.twitter.com/22U9CpPpOD
Thanks for reading. See you tomorrow.