Election security on the eve of the US midterms. US FBI rates the hacktivist threat. Microsoft says China uses disclosure laws to develop zero-days. Remember SIlk Road? The Feds do.
Dave Bittner: On the eve of the U.S. midterms, the U.S. FBI rates hacktivist contributions to Russia's war as unimportant. Microsoft accuses China of using vulnerability disclosure to develop zero-days. Andrea Little Limbago from Interos addresses accountability for breaches. Our guest is Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative. And finally, remember Silk Road? I assure you the Feds do.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 7, 2022.
Election security on the eve of the US midterms.
Dave Bittner: The U.S. midterm elections will conclude on election day tomorrow, though in most jurisdictions, they've been underway in the form of mail-in ballots and other forms of early voting for weeks. In general, the U.S. federal authorities involved in helping states secure the vote have been optimistic about the prospects for a vote unaffected by cyberattacks proper. There has been a recent surge in Russian disinformation deployed against U.S. voters, the New York Times reports, with the Internet Research Agency's trolls and bots resurfacing again, as they have for the last several election cycles. How successful the influence campaign will be is unclear, although widespread awareness that it's in progress will no doubt blunt such effect as it may have.
Dave Bittner: The present campaign differs from earlier Russian efforts in the extent to which it seeks to convince, as opposed to simply confuse, its audience. The positive line being pushed from Saint Petersburg - positive from the Kremlin's point of view - is that U.S. support for Ukraine is a wasteful expenditure and a losing and unworthy cause. Whether that story will turn out to have legs is unknown, but at this point it seems unlikely. The Washington Post says that CISA is taking a hands-off approach to specific disinformation. The agency will not, for example, flag specific false claims in social media.
Dave Bittner: U.S. officials have recently expressed confidence that direct cyberattacks against election infrastructure are unlikely to have much, if any, effect. And by that, they think of such things as locking up voting machines, directly manipulating vote counts or interfering with reporting and tallying - those sorts of capers. CISA's Friday communication about election security focused instead on the threat of dis- and misinformation. In particular, it urged voters to remember that early counts are not official and that isolated local problems and accidents shouldn't be interpreted as evidence of systemic corruption or unreliability.
US FBI rates hacktivist contributions to Russia's war as unimportant.
Dave Bittner: So what about DDoS attacks on election systems? Are these likely to disrupt the elections? Probably not, as much as various hacktivist groups might try. On Friday, the FBI offered an assessment of nominally hacktivist groups serving as Russian auxiliaries in the war against Ukraine. Groups like Killnet are having a minor effect at best, the bureau says. Their DDoS attacks have not generally risen above a nuisance level. They've been unsophisticated and haven't really achieved crippling effects on their targets.
Dave Bittner: The bureau's description of hacktivism and how it works is worth quoting. The advisory says the FBI defines hacktivism as a collective of cybercriminals who conduct cyber activities to advance an ideological, social or political cause. Historically, hacktivist collectives conducted and advocated for cybercrime activity following high-profile political, socioeconomic or world events. Coinciding with the Russian invasion of Ukraine, the FBI is aware of pro-Russian hacktivist groups employing DDoS attacks to target critical infrastructure companies with limited success. Hacktivists provide tools and guidance on cyberattack methodology and techniques to anyone willing to conduct an attack on behalf of their cause. DDoS attacks of public-facing websites, along with webpage and social media profile defacement, are a preferred tactic for many operations. These attacks are generally opportunistic in nature and, with DDoS mitigation steps, have minimal operational impact on victims. However, hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service.
Microsoft accuses China of using vulnerability disclosure to develop zero-days.
Dave Bittner: So the effects of DDoS may well be more in our head than anywhere else. The value of a zero-day exploit drops quickly. Once it's used, it's blown, and once the vulnerability it takes advantage of is patched and disclosed, then it works only as long as there are unpatched systems out in the wild for the zero-day to exploit. Microsoft reported Friday that China's government seems to be using its vulnerability disclosure law to gain access to vulnerabilities before they're generally announced. This enables Chinese intelligence services to develop and deploy zero-day exploits during a narrow window of opportunity, Microsoft suggests. Beijing's interests remain focused on espionage and intellectual property theft. And if Microsoft has it right, they're picking up the tempo of their exploit development process. In full disclosure, we note that Microsoft is a CyberWire partner.
Remember SIlk Road? The Feds do.
Dave Bittner: And finally, it was a case long in the making, but now it's over. James Zhong, whose house was raided last November, on Friday took a guilty plea to U.S. federal charges of committing wire fraud in September 2012, when he unlawfully obtained over 50,000 Bitcoin from the Silk Road dark web internet marketplace. On November 9, 2021, IRS agents recovered more than 50,000 Bitcoin from Mr. Zhong's Gainesville, Fla., house. For a raid on a virtual currency stash, the raid picked up a lot of physical stuff. The Justice Department says they found the proceeds in an underground floor safe and on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet. The raid also picked up $661,900 in cash; 25 Casascius coins, a physical Bitcoin token worth about 174 Bitcoin; four one-ounce silver-colored bars; three one-ounce gold-colored bars; four 10-ounce silver-colored bars and one gold-colored coin.
Dave Bittner: So you're no doubt asking, wasn't Silk Road a contraband market law enforcement took down years ago? It was. And its proprietor, Mr. Ross Ulbricht, also known as the Dread Pirate Roberts, was convicted of various crimes in connection with Silk Road back in 2015. Mr. Zhong was thus engaged in some criminal-on-criminal crime. The amount of wire fraud he pled to carries a maximum sentence of 20 years. How long a sabbatical Mr. Zhong will actually receive in a U.S. federal correctional institution will be decided when he's sentenced in February.
Dave Bittner: After the break, Andrea Little Limbago from Interos addresses accountability for breaches. Our guest is Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative. Stick around.
Dave Bittner: The Partnership for Public Service is a nonprofit, nonpartisan organization whose mission is to build a better government and stronger democracy. Part of how they pursue that mission is by inspiring folks to serve in government. They recently launched the Cybersecurity Talent Initiative, a public-private partnership aimed at recruiting and training a world-class cybersecurity workforce. Michelle Amante is vice president of federal workforce programs at the Partnership for Public Service.
Michelle Amante: So our mission today is better government, stronger democracy. So how do we make the government more effective for the American people? We do that in a lot of different ways. We help federal leaders. We support research. We recognize really important federal public servants or Service to America medals. And then my team works on talent. And how do we think about getting more talent, diverse talent, young talent, specialized talent into the federal workforce?
Dave Bittner: Well, let's talk about the Cybersecurity Talent Initiative. How did this get started?
Michelle Amante: Yes. So we launched our first cohort in the summer of 2020. And it all started, actually, with Mastercard, which is our founding partner. And they came to us, and they said, look. We want to help solve this problem with you. You know, at the time, there was, you know, over a 500,000 gap in cybersecurity jobs. And I believe that number is now over 600,000 gap of jobs both in the public and the private sector. And they said, you know, we want to help solve this problem. You work in the federal space. We also need talent. What can we do together? So we co-designed this program, which will bring recent graduates, both undergrad and graduate students, into federal positions for two years and then serve in these federal positions in cybersecurity roles for two years. And then they have the option to either stay in government or go work for one of our private sector sponsors. And so in this way, our sponsors, who are amazing - I want to give a shout out to them now - Microsoft, Mastercard, Accenture, CyberVista and Workday - are able to really not only get great talent for themselves but really help contribute to this larger problem that we're all facing in terms of getting just more talent in the cybersecurity space and helping our country.
Dave Bittner: Well, help me understand for the folks who are going to go through this program, what's the advantage there for them?
Michelle Amante: So what we do is we really - we bring them in. And once again, it's a two-year fellowship with a federal agency where they, one, don't have to go through the normal hiring process. So we work a lot with students, and we know that this is a huge barrier going to USAJobs and trying to navigate that process. So they apply through the partnership's website. And we have open places with federal agencies, and we help facilitate that process. So that's step one. We make it a lot easier for them. The second thing we offer is throughout the two-year fellowship, we offer technical training through our partner CyberVista. And throughout the two years, we also offer professional development and leadership training, which is something really unique to our program. We also offer mentoring with both federal partners and partners in the private sector so they have someone that they can lean on, talk to about the space, think about their professional goal. And then the third benefit to the program is that if they take a job with one of our private sector sponsors, they are eligible for student loan reimbursement, which is a huge advantage.
Dave Bittner: Yeah. I mean, that's really interesting. And it's - we hear so often that folks are having trouble finding those entry-level jobs, that particularly out in industry in the cyber world, you know, they want - an entry-level job means that you had ten years of experience, you know, And it strikes me that that this is a nice balance between those two things. You can come in and get some experience under your belt. And after that two years, you have options.
Michelle Amante: Yes, I absolutely agree. And we see that in the federal space, too. Very few agencies are building the pipeline. So if everyone is going after that mid-career talent, there is no talent coming up through the ranks. So this is a great way to do it, where the participants are very supported and encouraged to continue in this field and are given a lot of options after they finish the program.
Dave Bittner: So who is your ideal candidate here? Who are you hoping to attract?
Michelle Amante: So the student graduate or undergraduate, as I said, they don't even have to have a specific focus in cyber. So we're looking for students who have a focus in computer science, information systems, or even if it's mathematics or in - you know, with a minor in computer science, you know, something, obviously, with a background that's going to set them up for success as they take the job. Also, public-service oriented, right? We are - people who work in the federal space are called to serve, and they - you know, they go for the mission. And so, do they have some sort of call to serve? And so that is reflected in the essay as we try to make the application process very easy and smooth. But we do have some essays, and we want to hear from these prospective fellows about why they want to work in the federal government. What is their specific call to serve? We're really hoping that more corporate partners will join us in this mission and in this goal to help close the gap and help serve our country. And so you can find information, whether you're a student or a corporate sponsor, on the webpage.
Dave Bittner: That web page is gogovernment.org. Michelle Amante is vice president of federal workforce programs at the Partnership for Public Service.
Dave Bittner: And joining me once again is Andrea Little Limbago. She is senior vice president for research and analysis at Interos. Andrea, it's always great to welcome you back. You know, we've had several stories in the news lately where we have CISOs who are being called on the carpet for breaches that have taken place. Indeed, you know, we saw Mudge, who was a whistleblower with the situation at Twitter. I wanted to touch base with you on accountability. And ultimately, you know, where does the buck stop when it comes to accountability in these breaches?
Andrea Little Limbago: Yeah. Yeah, no, no, that's the question of the day right now that I think a lot in the security community are debating because there isn't a clear, identified role that actually, at the end of the day, is the one responsible. In theory, you know, many would argue the CEO is the one who's responsible for the entire organization. And yet, we're seeing the chief security officer of Uber on trial right now for response to a data breach. And that coupled with what we're seeing with Twitter and with Mudge's discussion, is really that - you know, the focus on who's going to be liable? I mean, so at end of the day, the chief security officer or chief of information security officer, they're the ones responsible for the security within a company. And that's - you know, the argument is that they should be the ones held responsible. But what we increasingly hear, and I think a lot of us in the community know, they may not be resourced to do what is needed. And so there is a - and even if they are, you know, are they the ones that actually are the ones that are, you know, legally obligated to report a breach? Very often within a company, they aren't the ones that actually would be, you know, perhaps reaching out to the FTC if there's a breach. And you augment that with a really big patchwork of data breach notification laws in the U.S. - there are about 54.
Andrea Little Limbago: If you think of it, every state has their own data breach notification law, plus D.C., Guam, Puerto Rico, Virgin Islands. So, you know, you basically have this patchwork of data notification laws, that each one has a - you know, a little bit of a different nuance to it. And so it becomes extraordinarily difficult both from a policy angle and then organizationally within a company to know really where that buck stops. But it really - I think, it's unsettling for many to see chiefs of security officers brought to trial, given the widening aperture of what a chief security officer's charged with for responsibilities and then, you know, coupled with the - did they have the resources or not? So it really - it's one of those discussions I think that's going to be ongoing for quite some time and is already adding to a very complex role that we're seeing.
Dave Bittner: You know, just last week I was speaking with someone who's a CISO, and she was saying that in many organizations, it's her experience that chief security officers, chief information security officers, they're really C-suite members in name only, that, you know, they're burdened with a lot of the responsibilities but aren't actually elevated to the level that many of the other C-suite folks are.
Andrea Little Limbago: Right. And that's - you know, I think Mudge's testimony, you know, highlighted that. No matter how many times you can bring some of the problems to more of the executives that are on the business side, it either gets ignored, or none of the resources are put there are the authority to actually solve, say, lackadaisical security. You know, the resources just aren't even there or prioritized. And so the - you know, the chief security officer can only do so much as far as highlighting these different challenges, but they don't have the buy-in from the CEO, from your chief legal officer, from the board of advisers. It becomes extraordinarily difficult for them to implement. Yet they're the ones who, increasingly, are - become the face of the breach when a breach happens. And as we've seen, you know, there are very few companies that you could point to that have not had a publicly - public profile breach. And if they haven't had a public profile, they probably have just done a good job keeping it out of the media, is really the reality these days.
Dave Bittner: I can't help wonder if this is part of the reason why we see such high turnover with CISOs. I mean, you know, they're - it's a tough job, and I can see why it's not something you'd want to stay with for so long.
Andrea Little Limbago: Right. And at least by some of the studies that are out there, it's about an 18-month average tenure for someone in that position, which is extraordinarily short when you compare it to other C-suite jobs. But yeah, I mean, it's increasingly hard. There's a lot both on the line as far as it's such an important role for keeping the company's data protected and the people protected, but if the resources aren't there, that becomes problematic. If the support across the board is not there, that becomes very hard. And then even from there, you're seeing it's a broader role as well for, you know, the CISOs to take on other kinds of risks across the company, as well. And the supply chain risk is one that is increasingly - one that's starting to fall under their umbrella, as well. So it's a role that has a ton of responsibility but not necessarily always the authority to do what's needed to be done.
Dave Bittner: Are we seeing any movement here? I mean, are the folks signing up for these positions saying, look - I'll do this, but here are my terms?
Andrea Little Limbago: I think increasingly. And that's where I think it'll be interesting to see how the market shifts. On the one hand, I think there's increasing requests for various kinds of insurance and legal fee coverage in case that does - you know, comes to that. And so we need to keep an eye on what happens on the insurance front. And then conversely, with the policy side, really helping get at this liability issue - because not only does it encourage companies to not actually share information about a breach, which then can help inform everyone else that might also be a target, so it limits everyone else's security, but, you know, it just impacts how - you know, how companies are going to, you know, attract talent to take on these kind of responsibilities. And so if we had actually some more federal guidance implemented across the board in the data breach area, especially addressing the aspect of liability, I think that could go a long way to helping less than a tiny bit some of the burnout that's happening with the chief security officers.
Dave Bittner: Right. Right. All right, well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: All right. Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.