Does software piracy undermine Kyiv’s security?
— A recent supply chain intrusion in Ukraine highlights an underappreciated element of Kiev's IT landscape, one that might be complicating its defenses.
HAPPY MONDAY, and welcome to Morning Cybersecurity! Greek food Friday, holiday party Saturday and epic World Cup final Sunday.
That’s what you call a perfect weekend.
Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.
PROGRAMMING NOTE: We’ll be off next week for the holidays but back to our normal schedule on Tuesday, Jan. 3.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
Congressional leadership is expected to release compromise text for the omnibus spending bill. No time specified
SOFTWARE SUPPLY CHAIN — On the surface, research out last week from Mandiant merely highlights the latest in a long line of deft supply chain compromises from (likely) Kremlin-backed hackers.
But read between the lines, and it also shines a light on a unique challenge facing Ukraine’s keyboard warriors: how the widespread use of software obtained illegally over the internet — so-called “pirated” code — complicates the country’s ability to keep Russian hackers at bay.
What happened — According to Mandiant, hackers likely affiliated with Russia’s main military intelligence unit, the GRU, uploaded modified Windows 10 installers on popular East European torrenting sites — a peer-to-peer file sharing protocol popular for software piracy — and then tracked users who downloaded the poisoned code.
While Mandiant danced around the piracy issue in its blog, it's clear the “socially engineered supply chain operation” took advantage of the widespread nature of the practice. According to the firm, the intruders breached sensitive government systems simply by waiting for the malware-laced downloader to find its way onto a “network of interest.”
Why that matters — Software piracy, which is widespread in Eastern Europe, presents two security defects relative to licensed software, said Matt Tait, an independent cybersecurity expert and a former information security specialist at GCHQ.
In general, pirated software does not receive the same security support that licensed software does, even though Microsoft and other software vendors make some security updates available even to unlicensed users.
And then there is the issue the Mandiant research highlights: Because pirated software is distributed via unlicensed third parties, it's far harder to trust what’s under the hood of your code.
Open questions — The tight-lipped Mandiant report left several questions unanswered, such as how many Ukrainian entities were compromised in the campaign or how the hackers made it onto their networks.
As a result, the security implications of Ukraine’s software piracy issue could vary widely, said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.
“This isn’t a top [cybersecurity] priority unless it’s the Ukrainian government or military using pirated code,” said Herr, drawing a distinction between directly breaching a sensitive network through the bunk torrents and using them as a hopping point to deploy other tradecraft.
Misaligned incentives? — Herr, Tait and Dmitri Alperovitch, co-founder and chair of the Silverado Policy Institute, all said that while it's unclear how pressing a priority the piracy issue is for Ukraine, it would be easy for Microsoft to transition select Ukrainian users to licensed software — if the company decided it wanted to.
Asked whether Microsoft would consider giving free or discounted software licenses to Ukrainian users or otherwise helping them replace pirated code, a representative for Microsoft referred MC to $100 million in technology support the company issued to Ukraine last month.
The announcement did not include details on what the grant went to or how it was spent.
LANGEVIN ISN’T DONE — After roughly 20 years shepherding major cybersecurity reforms through the halls of Congress, Rep. Jim Langevin (D-R.I.) may be on the verge of retiring, but he’s not done shaping cyber policy on Capitol Hill.
In an interview with the POLITICO cybersecurity team last week, the departing lawmaker told MC he plans to continue encouraging fellow lawmakers to make cybersecurity a priority — and that he’ll always be just a “phone call away” if they need him.
Passing the torch? — As a member of the House Armed Services Committee’s cyber subcommittee, a co-chair of the Congressional Cybersecurity Caucus and a commissioner of the cyberspace solarium commission, Langevin will leave multiple, terabyte-sized gaps in the cyber policy-making landscape.
Asked who might fill his shoes in the first of those posts, the Rhode Island lawmaker cited Reps. Elissa Slotkin (D-Mich.), Andy Kim (D-N.J.), Eric Swalwell (D-Calif.) and Seth Moulton (D-Mass.) on the Democratic side of the House.
Among Republicans, he pointed to Reps. Michael McCaul (R-Texas) and Mike Gallagher (R-Wis.), another commissioner on the influential Cyberspace Solarium Commission.
Getting up to speed — Beyond naming lawmakers who have shown interest in cyber policy already, Langevin expressed optimism that congressmen new to the topic will emerge to take ownership over it, much as Langevin himself once did.
“There’ll be, I believe, more and more members that will gravitate toward this area,” he said, because the issue will be “more and more pervasive and intuitive” to the younger members now entering Congress.
Two more nuggets — My colleagues Eric and Maggie have a longer story on the departing lawmaker set to come out later this week. Until then, here are two more nuggets from our interview to keep you on the edge of your seat:
- Dual hat. At least for the foreseeable future, Langevin called himself a “strong supporter of the dual hat,” the arrangement where a single individual heads the agencies — NSA and US Cyber Command — overseeing the nation’s cyber spies and its cyber warfighters. “Right now, especially, if we were to split the hat, if you will, we’d be stovepiping our cyber operations, or we’d be involved in those issues with one hand tied behind our back,” said Langevin.
- EPA. Langevin said the “under-resourced” agency needs help from appropriators to make sure it can fulfill its duties as the sector risk-management agency over the country’s water and wastewater facilities. “They need to be properly resourced with expertise. And that's why, by the way, appropriations is so important in this process,” he said.
KEEPING UP WITH THE EXPLOIT-DASHIANS — The pace, severity and frequency of newly exploited software bugs are putting significant pressure on resource-strapped IT staff, according to a report out this morning from internet-scanning firm GreyNoise. By studying CISA’s list of known exploited vulnerabilities, GreyNoise researchers estimated that defenders generally have four to seven days before they have to race to plug a new software bug. Another important warning in the report? GreyNoise assesses that hackers are finally figuring out where to find and how to exploit the Log4J vulnerability. That means some of the expected harms around the infamous bug — which DHS expects to persist for “a decade or more” — might come to fruition in 2023.
Following Elon Musk’s announcement of ban on the promotion of alternative social media platforms on Twitter, Mastodon laid the smackdown on the bird site:
— Foreign Policy has a story exploring how Ukraine managed to fend off Russia’s vaunted cyber forces.
— Germany doubles down on Huawei, despite security concerns. (Reuters)
— A stalkerware app that has been banned by the FTC seems to be at it again. (Tech Crunch)
— POLITICO’s Gavin Bade reports on a rift between U.S. national security agencies and the Treasury Department over whether to force ByteDance, TikTok’s Chinese owner, to divest itself of its U.S. operations.
— 2022 was the year of ransomware attacks crippling small governments. (README)
— Russian hackers infiltrated a U.S. satellite network, says CISA. (CyberScoop)
Chat soon.
Stay in touch with the whole team: Eric Geller ([email protected]); Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).
~~~~~~
Gloss