Welcome to The Cybersecurity 202! Allied troops stormed the beaches at Normandy 78 years ago today. There are probably more movies about World War II than any other event. “The Best Years of Our Lives” about returning veterans is among the best.
The U.S. isn’t getting ahead of the cyber threat, experts say
Our network experts say the U.S. is just as vulnerable – or even more vulnerable – to cyber attacks
Our network of cyber experts have a less-than-rosy take on the United States' ability to fend off cyber attacks.
Most of them said the U.S. is either just as vulnerable to cyberattacks or even more vulnerable today than it was five years ago.
That assessment, from a group of experts polled by The Cybersecurity 202, reflects a half-decade during which government and industry have supercharged their efforts to defend against devastating hacks from foreign governments and criminals — but the bad guys have upped their game even more, most experts say.
‘[We’re] less vulnerable against the threats of five years ago. But I see no evidence that the threat has stood still, and in fact, it is likely that it has grown at a faster rate than our defenses,” said Herb Lin, senior research scholar for cyber policy and security at Stanford University
“We become evermore vulnerable with each passing day,” warned Lauren Zabierek, executive director of the Cyber Project at the Harvard Kennedy School’s Belfer Center. “I don't know where the bottom is.”
- About 43 percent of respondents to our Network experts poll said the United States is more vulnerable to cyberattacks now.
- About 38 percent said we’re just as vulnerable as we were five years ago.
- Just 19 percent of experts said the United States is less vulnerable in cyberspace than five years ago.
The sobering results come as cyber executives and analysts are convening in San Francisco for the RSA Conference, the largest annual industry-focused cybersecurity gathering, which is being held in person for the first time since the start of the coronavirus pandemic.
The cyber industry has fared extremely well during the past half-decade — nearly doubling in value, according to some estimates — but it has also struggled to keep up with the dizzying pace of attacks.
One key problem, according to experts who said the United States is more vulnerable now: The nation has become more reliant on technology during the past five years — significantly increasing the targets that hackers can aim at. And that technology is often being built without security foremost in mind.
“Cybersecurity is improving constantly, but the complexity of our digital society may be outpacing our efforts to keep up,” Mandiant Threat Intelligence chief John Hultquist said
Cyber and tech investor Niloofar Razi Howe: “We are more vulnerable because of the dizzying pace we are adopting technology, engaging in tech transformation, and adding devices without prioritizing security.”
One particularly rich target has been a vast new array of Internet-connected devices, such as refrigerators, thermostats and cameras. These devices, commonly called the “Internet of things” or “IoT” are notorious for relying on weak or default passwords and being difficult to update with software patches — making them easy pickings for hackers.
“Many of these technologies have shortchanged their cybersecurity expenditures, creating ever-increasing liabilities for everyone,” said Sascha Meinrath, founding director of X-Lab, a think tank at Penn State focusing on the intersection of technologies and public policy.
“As the cyber-strategist Biggie Smalls would have said, ‘More IoT, More Problems,’ ” quipped Peter Singer, a fellow at the New America think tank. (Singer said the United States is equally vulnerable compared to five years ago).
Many experts blamed the United States’ ongoing vulnerability to hacking on the increased brazenness of U.S. adversaries, especially Russia.
- Norma Krayem, a cyber policy expert at Van Scoyoc Associates: “Russia's use of cyber tools against Ukraine has clearly demonstrated to the world that it can fully disrupt key aspects of critical infrastructure.”
- Dave Aitel, a cybersecurity researcher and Partner at Cordyceps Systems: “Our adversaries continue to advance their skills and no amount of cyber hygiene is enough to compensate for that basic fact.”
- Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub: “Adversaries have gotten stronger. Business and individuals are more dependent on the Internet than ever. And we haven't prioritized cybersecurity enough to counteract these trends.”
That sentiment was shared by several experts who said the United States is equally vulnerable compared to five years ago. They described a cat-and-mouse game in which U.S. companies are constantly improving defenses but never really getting ahead.
- Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School: “While defenders have certainly gotten better in the last five years, so have the attackers.”
- John Pescatore, director of emerging security trends at the SANS Institute: “A lot of progress has been made, but unfortunately by both the bad guys and the good guys.”
Many experts who picked the equally vulnerable response said it’s simply impossible to determine whether the United States is more or less vulnerable to hacking now — either because the answer varies so much from industry to industry or because there’s not good enough data to make the call.
“It's better in some sectors and worse [in] others, but as a country, the net/net is that we're still in a comparable — and fairly awful — position,” said Jeremy Grant, managing director at the law firm Venable.
- Steve Weber, a cyber-focused professor at the University of California at Berkeley: “You can't manage what you can't measure, and measurements of 'vulnerability' are incredibly messy, undisciplined, almost certainly biased, and partial at best.”
For those who said the United States is less vulnerable to hacking now, many based that assessment on the rising public awareness of cyberthreats — especially after ransomware attacks that have threatened the economy and national security in recent years.
“Awareness about the threat has improved dramatically,” said Michael Daniel, a former White House cyber coordinator who now leads the Cyber Threat Alliance.
“Thanks to high profile ransomware attacks awareness is greater than ever at the board and governmental level, and I believe if you are aware of risks, you are more likely to protect against them,” said Jeff Moss, founder and CEO of DEF CON Communications.
More responses to our Network survey
- “Since complexity is the enemy of security, ipso facto, security is harder and the United States is more vulnerable.” — Mark Weatherford, a former top Department of Homeland Security cyber official who’s now a general partner at Aspen Chartered.
- “The U.S. is more vulnerable than ever to cyberattacks due to its increased dependence on complex, interconnected software.” — Katie Moussouris, founder of Luta Security.
- “The pace of progress has been uneven. There are still certain sectors and critical functions that remain woefully behind and even overall we are by no means where we need to be.” — Frank Cilluffo, director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.
- “The most sophisticated level of attackers are no longer exclusively nation-states. Private actors, who are sometimes contractors to governments, have serious compromise capabilities and can execute complex attacks.” — Robert Strayer, executive vice president of policy at the Information Technology Industry Council who was the State Department’s top cyber official during the Trump administration.
- “Both the private sector and the federal government are in a far better position to resist cyberattacks than five years ago, but the sophistication and scope of our cyber adversaries has outstripped those gains.” — Glenn Gerstell, former NSA general counsel who’s now a senior adviser at the Center for Strategic and International Studies.
- “Actually, the best answer to this question is ‘nobody can tell.’ In the absence of ANY metrics about cybersecurity, it is realistically impossible to answer this question.” — Paul Rosenzweig, founder of Red Branch Consulting.
- “Ransomware is the richest attack monetization we have ever seen so attackers will continue to increase their efforts to compromise, even as we get more secure.” — Chris Wysopal, co-founder of Veracode.
- “Ransomware has helped to make cybersecurity a real political priority, but it will take a sustained effort over several years to make significant progress. Keeping our foot on the gas is not something we’ve done well in the past, but that must change. — Chris Painter, top State Department cyber official during the Obama administration who’s now president of the Global Forum on Cyber Expertise.
Lawmakers unveil long-awaited privacy bill, but its prospects are uncertain
The bipartisan proposal would require companies to limit their data collection, and would also let users sue companies that improperly sell their data and opt out of targeted ads, Jacob Bogage and Cristiano Lima report. But the bill faces an uphill climb to become law, with critics saying it doesn’t do enough to protect consumers.
Senate Commerce Committee Chair Maria Cantwell (D-Wash.) hasn’t endorsed the bill, and it could stall without her support. Cantwell told The Post that “any robust and comprehensive privacy law must protect consumers’ personal data with a clear requirement that companies are accountable for the use of that data and must act in consumers’ best interests.”
Sen. Brian Schatz (D-Hawaii) told lawmakers that the effort was “falling short” in delivering for consumers. He urged them to “refuse to settle for a privacy framework that will only result in more policies to read, more cookies to consent to and no real change for consumers.”
Trump allies considered having armed private contractors seize voting machines
The plan was sent by British entrepreneur Andrew Whitney to Cyber Ninjas chief executive Doug Logan and Jim Penrose, whose LinkedIn page says he previously worked at the National Security Agency, the Los Angeles Times’s Sarah D. Wire reports. Cyber Ninjas was later responsible for a shoddy, partisan election audit in Arizona that didn't find evidence of significant fraud and ended up confirming President Biden’s victory in the state.
Experts criticized the draft’s legal arguments. “A private sector organization has no authority to go and seize state government equipment,” former CISA director Chris Krebs told the Los Angeles Times. “The federal government doesn’t even have that authority, particularly in the context of administering elections. And we are looking at a document that says that’s OK.”
Penrose and Whitney didn’t respond to the Times’s request for comment. Logan declined to participate in an interview with the outlet.
CISA has publicly released a long-awaited advisory urging states to fix vulnerabilities in Dominion voting machines. The agency has “no evidence that these vulnerabilities have been exploited in any elections,” it said. In the days before the advisory was released, experts argued about the vulnerabilities and their implications. Election Assistance Commissioner Donald Palmer and Free Speech For People’s Susan Greenhalgh:
CISA makes no such findings - they rejected outright most of his report. Ballot marking devices are used throughout the country; tested to approved voting standards in accredited EAC federal labs. No significant findings or vulnerabilities in this forthcoming advisory. https://t.co/0FV3O1dWK2
— Don Palmer (@VotingGuy) May 31, 2022
So it’s not the voting systems, it’s the election officials fault?
Election officials don’t gaslight voters, exaggerating the threat or confusing the American people with their own agenda. When we see an issue or deficiency, we work to resolve it or improve it. https://t.co/aMrkw8k723
— Don Palmer (@VotingGuy) June 1, 2022
I have read Halderman’s report bcz I’m w/in the seal. And I’ve read @katebrumback s story which confirms cisa affirmed Halderman’s findings. You’re plainly mischaracterizing this, as EAC & other officials have done to dismiss legitimate security concerns, & that has eroded trust https://t.co/6o6qTmWKD3
— Susan Greenhalgh (@SEGreenhalgh) June 2, 2022
- Mitre is publicly unveiling its Insider Threat Framework Initiative today at the RSA Conference. The framework will help organizations find malicious insiders, Mitre says. Details here.
Crypto scams are on the rise, draining more than $1 billion in last year (By Tory Newmyer)
- It’s official: President Biden plans to nominate Nate Fick as the State Department’s ambassador at large for cyberspace and digital policy. Fick is vice president of security strategy at software firm Elastic, and served as a Marine Corps officer in Afghanistan and Iraq.
- The Atlantic Council’s Digital Forensic Research Lab hosts a two-day summit starting today.
- The House Committee on Veterans Affairs holds a hearing on cybersecurity on Tuesday at 10 a.m.
- The Senate Homeland Security Committee hosts a hearing on ransomware and cryptocurrency payments on Tuesday at 10 a.m.
- The House Armed Services Committee’s cybersecurity subcommittee discusses the annual defense authorization bill on Wednesday at 10 a.m.
Thanks for reading. See you tomorrow.
Gloss