At a glance.
- US National Cyber Director says confidence is key.
- CISA focuses on fighting election disinformation.
- Europe’s continuing battle with commercial spyware.
US National Cyber Director says confidence is key.
Speaking last week at the DEF CON hacker conference, US National Cyber Director Chris Inglis spoke about America’s cybersecurity strategy, Nextgov.com reports. Inglis defined recent cyberattacks in three waves: a first wave “focused on adversaries holding data and systems at risk;” a second wave in which the attackers “still held data and systems at risk, but they then abstracted that into holding critical functions at risk;” and a third wave aimed at killing the confidence of the American people. Inglis explained, “The most important lesson from that is [attackers] then held the confidence of millions of people at risk. And what they eventually succeeded in doing was in defeating one, they defeated all. They defeated tens of millions of people because of a single person’s error. We need to flip the script.”
The way to do this, he went on to say, is to concentrate on defense, invest in cyber resilience, and establish clearly defined roles and responsibilities. “That’s how you defend collaboration, and confidence too, so that you need to make sure that everyone in the system understands what role they play in the defense of that system, so that everyone can participate in their own defense,” he added. As the Record by Recorded Future notes, Inglis referenced Ukraine as an example of what US cybersecurity should aspire to be. Despite Russia’s upper hand when it comes to cyber offense, Ukraine, he said, collectivized its cyber defense by creating a resilient and robust system supported by a greater cybersecurity awareness among its residents. He also applauded the actions taken by major tech providers like Microsoft, ESET, and Cisco to enhance their cybersecurity efforts in Ukraine by viewing their terms of service as a pledge to defend Ukraine customers.
CISA focuses on fighting election disinformation.
US Cybersecurity and Infrastructure Agency (CISA) Director Jen Easterly also spoke at DEF CON last week, sharing that CISA is beefing up its efforts to stem the flow of disinformation in preparation for the 2024 US presidential election. Easterly explained, “We recognize this is not a partisan issue. Where I fear that the system will break down in a spectacular way is if CISA all of a sudden becomes a partisan agency.” Easterly said she is making sure to bring in officials from both parties, and she has already brought on former Secretary of State of Washington Kim Wyman, a Republican, to help CISA with safeguarding the election process from misinformation and disinformation. CyberScoop adds that Maria Barsallo Lynch, executive director of Harvard University’s Belfer Center’s Defending Digital Democracy Project has also joined CISA’s growing information operations team, and CISA is connecting with secretaries of state in order to equip local election officials with the necessary tools to fight the spread of falsehood. “John Adams talked about [how] facts are stubborn things,” Easterly stated. “We live in a world where facts are not necessarily as stubborn as they used to be.”
Europe’s continuing battle with commercial spyware.
It’s common knowledge that the Israeli surveillance software maker NSO Group’s Pegasus spyware had been used to track the devices of opposition leaders, journalists, and lawyers all over the world. But what sets Greece’s recent surveillance scandal apart is that the spyware used was not made by NSO, but by Cytrox, a North Macedonian firm owned by intelligence company Intellexa. Indeed, spyware attacks are surging through Europe, as Italian spyware vendor RCS Lab was found to be targeting smartphones in Italy and Kazakhstan, and just last month Microsoft discovered that spyware from DSIRF, an Austrian surveillance software firm, was being used to hack into law firms, banks, and consultancies in Austria, the UK, and Panama. Despite this, many European lawmakers are perhaps disproportionately focused on taking down NSO Group. Etienne Maynier, a technologist at Amnesty International’s Security Lab told Wired, “Even if NSO Group closes tomorrow because of all the problems they face today, the situation will be the same if there is no change in the regulation. The problem is not one bad company. It’s really the legal structure that makes these companies take these decisions.” An editorial in Haaretz posits that one solution could be to treat spyware like the digital weapon it is and impose tighter regulations on its export, much like any physical weapon. Though Israel’s Defense Ministry has been tightlipped about regulation, sources say Intellexa currently operates with no export controls, despite the fact that its owner is an Israeli citizen.
Meanwhile, European officials have been waiting with bated breath for NSO to share its client list, which until now the company has been reluctant to divulge. When previously asked how many members of the EU had purchased its products, NSO’s lawyers only responded “at least five,” promising to come back with a clearer answer at a later date. Techdirt reports that that later date has finally arrived. During a meeting with the European Parliament Committee of Inquiry the spyware maker revealed that the company has active contracts with twelve EU countries and is currently working with twenty-two security and enforcement organizations in the EU.