At a glance.
- Pegasus investigation in Spain.
- Recruiting cyber talent for the US Department of Defense.
- FDIC breach disclosure rules considered.
Spanish Prime Minister targeted with Pegasus spyware.
The Guardian reports that at a press conference yesterday, the Spanish government disclosed that the phones of the prime minister, Pedro Sánchez, and the defense minister, Margarita Roble were infected with NSO Group’s controversial Pegasus surveillance software. Minister for the presidency Félix Bolaños said the phones were targeted last year and that data had been extracted from the devices, Security Week reports. Bolaños remarked, “We have no doubt that this is an illicit, unauthorized intervention.” He made it clear that the surveillance must have been conducted by an external party as there had been no judicial authorization for such surveillance. Politico notes that Sánchez is the first confirmed head of a European country and NATO member to have been tracked using Pegasus. The incident will be investigated by the Audencia Nacional, and the phones of other government officials are being analyzed to determine if they might have been tapped as well.
The Record by Recorded Future adds that the revelation comes on the heels of reports that the phones of politicians and activists connected to Spain’s Catalonia separatist movement were also infected with Pegasus, surveillance the victims suspect was carried out by Spain’s National Intelligence Center, CNI. Reuters reports that Catalan president Pere Aragones, upon hearing about the Spanish Prime Minister’s infected phone, responded, “When the mass surveillance is against the Catalan independence movement, we only hear silence and excuses. Today everything is done in a hurry.”
This is just the most recent in a long list of surveillance incidents tied to Pegasus’s spyware, but as always NSO claims the software is only sold to governments to aid in criminal investigations. A company spokesperson stated, “While we have not seen any information related to this alleged misuse and we are not familiar with the details of this specific case, NSO’s firm stance on these issues is that the use of cyber tools in order to monitor politicians, dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools.”
Bits versus bullets.
Pentagon officials say the war in Ukraine has demonstrated that the need for machine learning and artificial intelligence experts to support government defense efforts has never been more crucial. “I like to say that bits can be as important as bullets,” Deputy Secretary of Defense Kathleen Hicks told Wired. Cutting-edge technology – like the AI software used to interpret Russian radio communications, facial recognition tech to identify Russians in video footage, and custom drone weaponry designed for use by Ukrainian forces – has been key in the Department of Defense’s (DoD) efforts during the war. The Pentagon’s National Security Commission on Artificial Intelligence, an initiative focused on assessing the evolving technology landscape, says the US needs to focus more on emerging tech and collaboration with the private sector to compete with adversaries like China. For its part, the DoD has been trying. The Defense Innovation Unit was established in 2015, and last month the Pentagon appointed Craig Martell, former head of machine learning at Lyft, as its first chief digital and artificial intelligence officer. Job listing tracking researchers at Emsi say 33% of defense industry job advertisements mention software development or data science skills, up 91% percent since 2017, and the Pentagon has awarded multibillion-dollar contracts to companies like Lockheed Martin and Raytheon. However, experts say partnerships with Silicon Valley, which have historically been met with protest from employees reluctant to work on military contracts, will be necessary to truly keep up with innovation.
Should the FDIC’s breach reporting rules be extended to other sectors?
In March, the US Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint announcement establishing computer-security incident notification requirements for FDIC-supervised banking organizations and their service providers. The rule came into effect on May 1. In an op-ed in the National Interest, one expert argues that while the financial sector will benefit from the reporting rules, such information-sharing requirements should be implemented across all sectors. As well, security analysts will need to be provided with the tools necessary to support the increased burden these requirements will entail.
Padraic O'Reilly, Co-Founder of cyber risk management firm, CyberSaint, wrote to outline some things he thinks the US financial services sector should bear in mind as the regulation takes effect. First, how prepared are banks and other affected institutions for the rules?
"It is likely that smaller institutions are not fully prepared to meet this requirement. The shorter timeline, 36 hours, is an attempt to gain situational awareness by the Feds across the entire sector. There is still some confusion in the smaller institutions about what constitutes an event. Also, forensic capability is often not all that strong. IT and infosec professionals should present management with cost effective options to meet these requirements, from better logging and analysis of events to coordination among those responsible for reporting."
And, second, what steps should they take to prepare for the new regulations?
"Banks should formally review the types of incidents covered in the proposal, and review their current processes to assess any potential shortfalls in capability. This is really a tightened timeline on a 15-year-old requirement, and an expansion of what constitutes covered incidents. Smaller concerns need to evaluate their current processes for reporting, make sure they have the proper government contacts in place, and put procedures in place to file reports. This will entail coordination between legal, IT, and infosec (if they have such a function)."