Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! This is my last newsletter after three-and-a-half years as author of The Cybersecurity 202. It’s been a blast!
Thank you!: To editors who guided me; researchers who wrote far more of this newsletter than most people realize and frequently caught my errors before they got into print; fellow reporters at The Post and elsewhere; sources without whom this newsletter would not have been possible, especially those who spent hours patiently explaining complex issues to me (you know who you are); and to readers who always gave me great feedback and made the newsletter better.
As for me: I’ll be heading to Johannesburg, where my wife will be doing her first tour as a U.S. Foreign Service officer. I’ll be doing some freelance reporting, so send any South Africa stories and tips my way. Please stay in touch. You’ll still be able to find me on Twitter. Other contact info is in my bio there.
There are few analogues in history for how cybersecurity has surged in importance as a government policy issue during the past eight years.
It’s gone from a relatively back-burner issue embraced by a handful of government officials and lawmakers to a top national security concern — one that prompts partisan squabbles in Congress and heated confrontations between U.S. and Russian presidents.
And that’s probably just the beginning. Things will definitely get wilder from here.
This is my last Cybersecurity 202 after three-and-a-half years authoring this newsletter and eight years as a journalist on the cyber beat.
Eight years is a long time on any beat. It’s several lifetimes on this one.
Here are three big themes that have preoccupied my reporting the past eight years.
Cybersecurity wasn’t unimportant when I started on this beat in April 2014. But it was a shadowy topic, more fretted about than understood. When cyber news stories broke through to mainstream audiences, they were usually about credit and debit card breaches that had limited real impact on consumers except the few who suffered identity theft.
The big story at the time was a mammoth credit card breach at Target that had forced the big box retailer’s CEO to resign — a cataclysmic event for industry then that’s largely a footnote now.
Things changed quickly.
With each passing year, cyber insecurity became a more fundamental and important aspect of U.S. policy, politics and daily life — similar to how connected technology itself had become increasingly pervasive a decade or two earlier.
By 2022, the prefix “cyber” has begun to seem anachronistic because digital conflict and crime is more the standard than the outlier.
Criminal ransomware gangs, for example, draw far more attention these days than conventional organized crime. And even the mafia is getting into hacking to support traditional criminal pursuits such as drug trafficking and extortion.
The cyber component of Russia’s Ukraine invasion has been more limited than some experts predicted. But it still underscores that cyber operations are sure to be a component of every future military conflict.
U.S. cyber protections have, by and large, not remotely kept pace with the threat.
The vast majority of companies are still compromised by hackers because of simple and preventable lapses, such as using shoddy passwords, not updating commercial software and employees getting conned by phishing scams that they should be wise to.
Why?
There are a lot of possible explanations, including corporate apathy and a structural advantage held by hackers.
One big explanation, though, is that government and other large institutions haven’t done the necessary work to change companies’ incentives to make cyberattacks less common. That’s unlikely to change soon.
The years-long wave of increasingly brutal and consequential cyberattacks has not been accompanied by big legislative changes.
Federal agencies have mildly ramped-up cyber requirements in a handful of critical industry sectors, including pipelines and rail transport but to decidedly mixed reviews from the regulated companies.
Many hoped that cyber insurance policies would force companies to adopt better practices to maintain coverage.
Which brings us to the third big theme …
This is about as easy as predictions get given the course of the past eight years. Everything got worse — often in unexpected ways.
The cyber future is especially treacherous because of a number of powerful new technologies that will integrate the internet ever more deeply into the fabric of daily life — including 5G wireless networks, artificial intelligence and connected technologies such as smart thermostats.
That will give hackers significantly more power to cause damage.
Then there are the unknown threats. Given the pace of technology development, it’s likely the nation will be hit within the decade by forms of cyberattacks that are hardly conceivable today.
The topic reminds me of an interview I conducted with a former contractor for the Defense Advanced Research Projects Agency (DARPA) who wrote a report about looming cyberthreats in the year 2000. The report was released publicly for the first time in 2018 as part of a broad public information request by George Washington University’s National Security Archive of emails and documents shared with former Defense secretary Donald Rumsfeld.
The report presciently noted how early the nation was in cyberwarfare developments — comparing it to the state of air warfare in the years before World War I.
More than 20 years later, those unknowns are even bigger because — largely because the internet touches not just warfare but nearly every facet of modern life from business and commerce to entertainment and romance. It’s unlikely we’re anywhere near a stable point in cyber development where we can speak with confidence about the future.
But I’m curious to see what happens.
If the bill passes, it could help the U.S. intelligence community recruit young professionals like hackers who have long been turned away over past marijuana use, the Wall Street Journal’s Dustin Volz reports. The provision was unanimously approved by the Senate Intelligence Committee in a must-pass intelligence authorization bill, but the legislation could still be changed.
The “common-sense provision … will ensure the intelligence community can continue to recruit the most capable people possible,” Sen. Ron Wyden (D-Ore.), the sponsor of the measure, tweeted.
How times change: The move marks a substantial shift from 2014 when then-FBI director James B. Comey apologized to senators after saying that restrictions on past marijuana use were hampering the FBI’s cyber hiring. Comey — who noted that “some of those kids want to smoke weed on the way to the interview” — later said he was joking.
Here’s more from Blake Sobczak, the editor in chief of README:
If this advances, it'd be a big deal for national security agencies' ability to recruit #cybersecurity talent. Many otherwise qualified security specialists have <gasp!> smoked pot, which is legal in the tech hub of California and in 18 other states + D.C. https://t.co/C6lZF4tiaT
The bill would dramatically limit when sensitive U.S. data can be housed in countries considered by the U.S. government to be a high risk, Reuters’s Alexandra Alper and David Shepardson report. China appears to be a main target of the legislation, they report.
Details: The bill would direct the Commerce Department to identify personal data that could harm U.S. national security if it’s exported. “If approved, the bill would also direct the Commerce Department to require licenses for bulk exports of the identified categories of personal data to other countries, and deny exports to high-risk countries,” Alper and Shepardson write.
The bill is co-sponsored by Senate Finance Committee Chairman Ron Wyden (D-Ore.); Sen. Marco Rubio (R-Fla.), the top Republican on the Senate Intelligence Committee; and Sens. Cynthia M. Lummis (R-Wyo.), Sheldon Whitehouse (D-R.I.) and Bill Hagerty (R-Tenn.).
Milan-based RCS Lab’s spyware targeted people using both iPhones and Android devices, Reuters’s Zeba Siddiqui reports. It’s not clear which RCS client used the spyware or who they were targeting. But the company’s clients include law enforcement agencies in Europe according to its website.
The reports come amid widespread concern about spyware. The Biden administration has blacklisted Israeli spyware firm NSO Group, which came under scrutiny after reports that its Pegasus spyware was used to target journalists, activists and executives.
“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” Google said.
Google is raising the alarm about spyware. It’s tracking more than 30 spyware vendors with different capabilities and levels of public awareness, Google said.
“The commercial spyware industry is thriving and growing at a significant rate,” it said. “This trend should be concerning to all internet users.”
Taxpayers paid $22,000 for ‘minimal’ work in Michael Gableman’s 2020 election review (Milwaukee Journal Sentinel)
As midterms loom, elections are no longer top priority for Meta C.E.O. (The New York Times)
Tech executives urge government to share cyber threat intel (The Hill)
House Panel Passes RANSOMWARE Act to Get FTC Reports on Cross-Border Work (Nextgov)
Today’s first @washingtonpost TikTok features Juul https://t.co/3omgTmBS7Z pic.twitter.com/oqt2C0K6cC
“It eluded us then, but that’s no matter — tomorrow we will run faster, stretch out our arms farther. … And then one fine morning.” Thanks so much for reading — today and always. Aaron will be with you Tuesday.
