At a glance.
- Cybersecurity bills advance in the US Senate.
- Comment on the ransomware summit.
- Missouri's Governor wants prosecution of reporter who discovered and privately disclosed a data exposure incident.
- US Army CIO offers perspective on Sino-American tech rivalry.
- The gamification of cyber talent cultivation.
Two US cyber bills advance in the Senate.
Homeland Preparedness News reports that the Senate Homeland Security and Government Affairs Committee has approved two new bills, the Cyber Incident Reporting Act and the Federal Information Security Modernization Act of 2021, which require critical infrastructure entities and civilian federal agencies to report attacks and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA). US Senator Gary Peters, chairman of the committee explained, “This information will help lead cybersecurity agencies and Congress in our efforts to establish a comprehensive strategy to punish cybercriminals for targeting American networks and prevent them from disrupting lives and livelihoods across our nation.” The bills will now go to the Senate for consideration.
Comment on the ransomware summit: "a global meeting to complain about Russia."
That's how Randy Watkins, CTO at CRITICALSTART characterizes the international meeting the White House convened to discuss responses to ransomware. "Failing to invite the world’s top safe harbor of ransomware cybercriminals to the ransomware summit," he said, "this is more of a global meeting to complain about Russia. With technical prevention measures continuously falling short and security expertise in short supply, the threat of government prosecution is necessary to curb attacks. Without Russia in attendance, or aligned with this agreement, the primary threat actors leveraging ransomware will be undeterred."
Hey, Governor: isn't Missouri known as the Show-Me State? (Just not the Show-Me-Your-HTML State?)
Missouri Governor Mike Parson has denounced the Saint Louis Post-Dispatch for what he characterized as the newspaper's "hacking" of the Department of Elementary and Secondary Education (DESE). He said at a press conference yesterday that he's referring the newspaper and its reporter for prosecution. The Post-Dispatch had found some teachers' Social Security Numbers coded into the html of a publicly accessible DESE website where citizens could check teachers' credentials. The paper informed DESE, waited until DESE had taken the information down, and then published its story.
Governor Parson has since doubled down via Twitter, claiming that the Post-Dispatch's story places them on the wrong side of "Tampering with computer data" (a Class A misdemeanor, or, if the action involves theft of $750 or more, a Class E felony). His Tweet also points out that "Tampering with computer data, computer equipment, or computer users" is a civil tort. Most of those covering or reacting to the governor's press conference aren't buying it. See Ars Technica for a representative discussion of Governor Parson's excursus on that whole hackin' world. (Ars Technica's story is more measured than most of the others we've seen.)
The Post-Dispatch refers to a letter Missouri's Education Commissioner sent to the state's teachers: "In the letter to teachers, Education Commissioner Margie Vandeven said 'an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.'” The quotation suggests a possible confusion: "encoded" and "encrypted" aren't synonymous. But it's very difficult to discern where the Governor and presumably the Commissioner think the crime lies. After all, it was DESE that exposed the Social Security Numbers. The Post-Dispatch's story represents in part a follow-up to a 2015 audit in the course of which the state was determined to have exposed personal information of students, so a journalistic inquiry into how official Missouri had been doing with respect to privacy and security seems entirely appropriate.
In some respects the threatened prosecution resembles the arrest of two Coalfire penetration testers during an engagement they were hired by the state of Iowa to conduct at a courthouse. That incident seemed to involve jurisdictional confusion and a failure to communicate. See WIRED's piece for a summary of that incident. The after-action review the Iowa Supreme Court commissioned is also worth reading.
But all things considered, the Missouri incident is more difficult to understand. We've contacted both the Governor's office and that of the Cole County Prosecutor with some questions, but haven't so far received any response. For now, we'll give the final word to Missouri State Representative Tony Lovasco (representing Missouri's 64th District, and, like the Governor, a Republican). He tweeted, "It's clear the Governor's office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking."
Army CIO offers rebuttal regarding US AI prowess.
As we noted earlier this week, former Pentagon senior cybersecurity official Nicolas Chaillan caused much debate after authoring a LinkedIn post claiming that the US Department of Defense is far behind China in the area of artificial intelligence technology. Army CIO Ray Iyer is weighing in, and as he told Breaking Defense, although China might be superior when it comes to using AI for surveillance, the US’s AI technology is more advanced overall. Citing the Pentagon’s collaboration with industry and coalition partners, Iyer said, “I can tell you the Chinese don’t have that. They’re operating in a vacuum, and they’re relying on nefarious methods and cyberattacks to be able to get to, you know, what they think they know that we have.” Based on a report published Tuesday, the researchers at RAND Corp agree, forecasting that “China’s relative share of power will increase relative to the United States and Russia at least through 2022 and that aggregate Chinese and Russian power will continue to approach, but not exceed, US power through 2022.”
It’s all fun and games…
Speaking of the Sino-American cyber-race, both China and the US are demonstrating a creative approach to cultivating cyber talent. The Washington Post reports that America is launching the US Cyber Games, a series of tournaments modeled after competitive video gaming (or “esports”) with the goal of identifying future cybersecurity leaders. Supported by a collaboration between the federal government, academia, and the private sector, the initiative is backed by the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education and will kick off with an inaugural International Cybersecurity Challenge in Greece this December. Participating countries will assemble teams between the ages of 18 and 26 to compete in contests that show off their cybersecurity skills. “Practicing defenses in today’s world when all rules are changing is difficult. This helps them see what attacks look like in real life,“ said Jessica Gulick, commissioner of the US Cyber Games initiative and founder of digital marketing firm Katzcy.
In China, Flashpoint reports that tomorrow marks the start of the Tianfu Cup, where the country’s best hackers will display their most innovative techniques. The competition was established in 2018 after the Chinese government forbade its cybersecurity researchers from participating in international hacking competitions (where they routinely dominated), asserting that its citizens’ zero-day exploits should no longer be employed strategically. The competition is modeled after the well-known international competition Pwn2Own, and all of the exploits demonstrated are reported so that patches can be developed. That said, in 2018 it was found that one of the Cup’s exploits was linked to government surveillance of the country’s Uyghur population.