At a glance.
- Updates on the NSO affair.
- White House cybersecurity summit meets today.
- Cyber investor perspectives on cyber conflict and cyber policy.
Spotlight on Bahrain: ongoing NSO scandal fallout.
As we’ve seen, Pegasus Project has prompted discussions of human rights concerns around the world, particularly in nations with autocratic tendencies. SecurityWeek breaks down a report Citizen Lab published yesterday about a zero-click exploit (dubbed “FORCEDENTRY”) NSO Group’s Pegasus product apparently used to target up-to-date Bahraini iOS devices. Citizen Lab detected evidence of FORCEDENTRY and other exploits on nine activists’ phones, and attributed four of the hacks to Bahrain’s Government—“a well-known abuser of spyware”—“with high confidence.” Manama’s contract with NSO allegedly dates back to 2017.
Paul Bischoff, privacy advocate with Comparitech sees bad business in all of this:
“The use of Pegasus against Bahraini activists is another in a long list of examples demonstrating how NSO Group sells its malware to oppressive regimes and totalitarian governments. NSO Group says it only sells its software to legitimate government agencies, but the evidence shows it's repeatedly being used to target journalists, dissidents, and activists by authorities with histories of corruption and human rights abuses. Those authorities would not have the same spying capabilities without NSO Group. There is no real legitimate use for NSO Group's malware. We should immediately declare an international moratorium on private sales of spyware.”
Chris Hauk, consumer privacy champion at Pixel Privacy, wrote to point out that countermeasures are available, even for a tool as quiet and sophisticated as Pegasus:
“While this type of spyware will continue to exploit both known and previously unknown flaws in operating systems like iOS, there are tools available to detect whether or not a user's device is infected. iMazing, the maker of a Mac file transfer utility that makes it easier to backup iOS and iPadOS devices while also allowing easier file transfers between an iOS device and a Mac, has added a new feature to its iMazing software that can detect traces of spyware on a device. The software is a free download and doesn't require a license to use the spyware detection feature.”
Big Tech meets at White House with the prospect of regulatory sticks and carrots.
And yes, regulation can take the form of carrots as well as sticks. It's the further development of the whole-of-nation approach to cybersecurity in US policy.
Bloomberg says the Biden Administration has invited the CEOs of IBM, Google, Microsoft, Apple, Amazon, JPMorgan, and other companies for a cybersecurity chat today. The outlet sees critical infrastructure security, public-private collaboration, and supply chain security as probable topics of conversation. President Biden and national security officials will preside, Reuters reports, while tech education non-profits and leading water, energy, finance, and insurance executives join the fun, according to the Washington Post.
The gathering will include “breakout sessions” with Energy Secretary Granholm and Homeland Security Secretary Mayorkas on resilience across critical sectors, and with National Cyber Director Inglis and Commerce Secretary Raimondo on cybersecurity education. Discussions are also slated to span Russian ransomware and incident reporting regimes, the Record notes. Deputy National Security Adviser for Cyber Neuberger will help Inglis “craft a readout” of the sessions for President Biden.
The White House reportedly hopes to achieve voluntary progress on workforce development and industry security standards. Communiqués on these fronts are expected to follow the event, which the Post characterizes as as “one of the last chances for industry to make big voluntary cybersecurity changes before regulations force such action.” A senior official previewed “a set of concrete announcements” on the subjects of “technology and talent.”
CyberScoop recaps Cybersecurity and Infrastructure Security Agency (CISA) Director Easterly’s efforts to establish a proactive national cybersecurity posture through initiatives like the Joint Cyber Defense Collaborative, Federal network threat hunting, election “Rumor Control” publications, and CISA workforce expansions.
GovTech reviews the repercussions of President Biden’s cybersecurity Executive Order (EO) for state and local Governments, predicting a shift in regulatory focus from data privacy to continuity of operations. Tech departments can use the EO as a map of priority practices, like incident response plans, multifactor authentication, and encryption. Although some intractable problems like software supply chain vulnerabilities will persist, state and local Governments can at least look forward to improved funding from sources like the American Rescue Plan Act and Energy Department grants (but should stop banking on cyber insurance bailouts, the piece notes.) e.Republic executive Joe Morris is hopeful that the country is “reaching an alignment of policy, priority and funding” on cybersecurity.
Investor perspectives on cyber conflict and cyber policy.
During an online meeting yesterday organized by the two firms, Team8's Nadav Zafrir and NightDragon's Dave DeWalt offered some thoughts on the current state of cybersecurity, and its implications for policy.
Both said that we're seeing two changes driving a secular trend toward a more dangerous environment in cyberspace. One of these is the growing dependence, as an economy and indeed a civilization, on digital infrastructure, a trend that's been accelerated by the COVID-19 pandemic. The other is a surge in hostile action in cyberspace, both on the part of nation-states and criminals, the criminals having grown more ambitious and more capable. Zafrir said that we’ve seen a surge in nation-state attacks, and can expect to see more. "More nations are going to join the club of those who have significant cyber capabilities." Criminal organizations are growing more aggressive and effective. We’ll see more attacks, and more collateral damage.
DeWalt sees the threat actors in what he calls a "perfect storm in the cyber domain” as falling into three classes he calls the "three S's." Those are states, sheltered organizations (protected criminal groups), shell organizations (established by the nation-states but effectively fronts, set up as, for example, American entities).
Both government and business have a role to play in cyber conflict. They can both increase the cost of an attack, but in different ways. Zafrir and DeWalt agreed that retaliation was properly a government responsibility, but that companies could impose costs in other ways, by, for example, using decoys and deception to alter the attacker's value proposition. But "hacking back" is the government's business, and governments need to develop an effective approach to deterrence, something that has yet to emerge.
Zafrir concluded that business should expect "guardrails" from regulators, and that within those rails business should concentrate on delivering innovation. He cited homomorphic encryption as one invaluable area of innovation rapidly approaching maturity.
Finally, DeWalt offered some thoughts on the Taliban success in Afghanistan: “Whenever you see a change of regime around the world, one of the elements that arises is the cyber power that can be invoked from that region.”