Hacktivism, auxiliaries, and the cyber phases of two hybrid wars. Challenges of content moderation. Cyberespionage in the supply chain. Don’t buy all the hype, but do fix your Linux libraries.
Dave Bitner: Hacktivists join both sides of Hamas's renewed war. Disinformation and content control in social media. Storm-0062 exploits an Atlassian 0-day. Curl and Libcurl vulnerabilities. Betsy Carmelite from Booz Allen on how to expand and diversify the Cyber Talent Pool. Our guest is Kuldip Mohanty, CIO of North Dakota. And some further reflections on hacktivism and the laws of war.
Dave Bitner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, October 12th, 2023.
Dave Bitner: We begin with some cyber news from the war in the Middle East.
Warning of Hezbollah air attack on Israel from Lebanon was a false alarm.
Dave Bitner: Automated systems do malfunction, and that may be what happened with air defense warnings along Israel’s northern border this week.
Dave Bitner: Israel went on alert yesterday with warnings of large inbound air attacks from Lebanon, thought to have been mounted by Hezbollah. (Like Hamas in Gaza, Hezbollah is an Iranian client and proxy.) The alert turned out to be a false alarm produced by Israel's automated warning system, the Jerusalem Post reported. What caused the malfunction remains under investigation, but there's no immediately available evidence that the issue was the result of a cyberattack.
Hacktivists join both sides of Hamas's renewed war.
Dave Bitner: Hacktivist groups whose principal interests lie elsewhere have joined one side or the other in the war between Hamas and Israel. Techopedia offers an updated account of who's in action. The best known groups are the Russian auxiliaries KillNet and Anonymous Sudan; the mission they've been given is fundamentally one of influence and harassment. The war in the Middle East is seen in Moscow as an opportunity to distract Western supporters of Ukraine, ideally to reduce their tangible support of Kyiv's war effort. Palestinian and Islamist groups have also lined up with Hamas. The Indian Cyber Force, normally preoccupied with Pakistan and other South Asian states in tension with India, has come in on the side of Israel, claiming to have taken down Hamas sites and other pages belonging to Palestinian authorities. The confirmed cyberattacks have so far been nuisance-level defacements and distributed denial-of-service (DDoS) attacks. Claims of successful cyberattacks on infrastructure remain for the most part unconfirmed hacker bragging.
Dave Bitner: One volunteer group acting for Israel functions as an augmentation to intelligence services. The Wall Street Journal reports that the Israel Tech Guard, formed by workers in the country's cybersecurity sector, has been concentrating on the labor-intensive work of looking through online content to, among other things, seek to identify and locate Israelis taken hostage by Hamas. The volunteers are also working to secure online tools that contribute to public safety, like the Red Alert app compromised in the early hours of Hamas's assault.
Disinformation and content control in social media.
Dave Bitner: Much of the disinformation circulated in the course of the war in the Middle East has been produced in the interest of Hamas, and most of it has circulated in social media. X, formerly known as Twitter, has come under more criticism than other platforms, CNN reported. Disinformation and incitement have run through X, and many observers regard this as a foreseeable result of X's recent dismantling of its content moderation safeguards. X does retain what WIRED characterizes as a remnant of Twitter's Trust and Safety Team, and that remaining team says it's working to reduce the amount of demonstrable misinformation in circulation on X. They've struggled to do so, and a great deal of obvious disinformation continues to emanate from X Premium accounts. European commissioner Thierry Breton wrote X to warn the platform that its failures in this respect may constitute violations of the European Union's Digital Services Act (DSA). The Verge reports that Elon Musk, X's proprietor, asked for clarification and said, after an exchange with M. Breton, “I still don’t know what they’re talking about!” That’s the kind of thing WIRED calls kaka-posting. (We bowdlerize. WIRED’s headline used a coarser, more demotic word that we won’t mention because we’re a family show.)
Dave Bitner: Monsieur Breton also wrote Meta, asking CEO Mark Zuckerberg to ensure that Facebook and Meta's other properties take a close look at their own wartime content moderation. Reuters quotes the letter as saying, in part, "I would ask you to be very vigilant to ensure strict compliance with the DSA rules on terms of service, on the requirement of timely, diligent and objective action following notices of illegal content in the EU, and on the need for proportionate and effective mitigation measures." Meta told CNBC, “After the terrorist attacks by Hamas on Israel on Saturday, we quickly established a special operations center staffed with experts, including fluent Hebrew and Arabic speakers, to closely monitor and respond to this rapidly evolving situation. Our teams are working around the clock to keep our platforms safe, take action on content that violates our policies or local law, and coordinate with third-party fact checkers in the region to limit the spread of misinformation. We’ll continue this work as this conflict unfolds.”
Dave Bitner: Meta’s practices with respect to content moderation have concentrated, with, it should be said, some commendable diligence, intelligence, and good effect, on exposing coordinated inauthenticity. That’s had a positive effect in unmasking and quieting state-run disinformation channels. Whether it will work as well against the individual hot wars like the one now being waged in the Middle East remains to be seen. Earlier Facebook experience with interethnic violence in South Asia suggest that Meta will probably have to increase fact-checking and direct content moderation.
Storm-0062 exploits Atlassian 0-day.
Dave Bitner: Microsoft warns that the nation-state threat actor Storm-0062 has been exploiting CVE-2023-22515, a broken access control vulnerability affecting Atlassian’s Confluence Data Center and Server products, since September 14th. SecurityWeek reports that the threat actor is conducting cyberespionage for China’s Ministry of State Security (MSS).
Dave Bitner: It’s a well-prepared campaign designed to compromise and exploit a software supply chain. As usual, apply updates according to vendor instructions.
Dave Bitner: In full disclosure, we note that Microsoft is a CyberWire partner.
Curl and Libcurl vulnerabilities.
Dave Bitner: The latest version of the Linux curl project has been released, fixing two vulnerabilities affecting the curl tool and the libcurl library. One of the flaws is a heap-based buffer overflow vulnerability that could lead to remote code execution. CyberScoop notes that the severity of the flaw may have been overhyped before its release, since the vulnerability can only be exploited under very specific circumstances.
Dave Bitner: Nevertheless, the vulnerabilities merit attention. Johannes Ullrich, dean of research at the SANS Technology Institute, noted, “This is only a valid exploit if you take unvalidated data and create an HTTP request via a SOCKS5 proxy to a hostname created from the unvalidated data. My recommendation is to upgrade without haste. I rate the probability of this happening in actual code as very low. If you accept data, not validate it, and just blindly pass it to libraries like curl, you will likely have other problems that are easier to exploit.” So there’s no need for panic, but the vulnerabilities are just some of those things that will require attention.
Hacktivists and the laws of war.
Dave Bitner: OODA Loop takes a look at an essay by officials of the International Committee of the Red Cross (ICRC), "8 rules for 'civilian hackers' during war, and 4 obligations for states to restrain them," that proposes extension of international humanitarian law to wartime hacktivism, and it thinks the recommendations may have amounted to too little and arrived too late. The author, Emilio Iasiello, sees several reasons why a commendable attempt to civilize hacktivist conduct will fall short of expectations. First, it's a purely voluntary, ethical code. Second, the notorious difficulty of attribution of cyber activity will make it difficult to hold hacktivists to any code, voluntary or not. And, finally, it's difficult to imagine what unbiased party might serve as an arbiter of an ethical code: misconduct is, even more than beauty, in the eye of the beholder.
Dave Bitner: The criticism is in some ways well taken. There may, however, be more room for optimism than the OODA Loop piece allows. First, as the critique itself acknowledges, the ICRC officials who wrote the rules for hacktivists are not naïfs. They're aware that the laws of armed conflict are imperfectly observed and enforced. Russia's war against Ukraine provides ample evidence of that. But their proposal shows how the principles behind the laws of war and international humanitarian law might be applied to action in cyberspace. Proportionality, discrimination, and avoidance of unnecessary suffering all have obvious relevance.
Dave Bitner: The ICRC officials also point out that hacktivists could legitimately be considered, under some circumstances, to have forfeited their noncombatant status. The two officials propose eight rules for hacktivists, but they outline four obligations–we emphasize, “obligations”--that states have with respect to the hacktivists acting in the states' interests or operating from within the states' jurisdiction. Thus the extension of the laws of armed conflict the ICRC suggests isn't either idealistic or unenforceable in principle. International law evolves with war itself. That's as true today as it was in Nuremberg in 1946, and the prosecutors got some convictions there. One of them, deliberate spreaders of malicious information take note, was entirely for incitement to genocide.
Dave Bitner: Coming up after the break, Betsy Carmelite from Booz Allen on how to expand and diversify the cyber talent pool. Our guest is Kuldip Mohanty, Chief Information Officer of North Dakota. Stick around. I recently had the privilege of being a guest and speaker at CyberCon 2023, a cybersecurity conference hosted at Bismarck State College in North Dakota. Before the trip, I had heard that North Dakota had adopted an innovative whole-of-state approach to cyber. To learn more about that, I sat down with Kuldip Mohanty, Chief Information Officer for the state of North Dakota.
Kuldip Mohanty: Security is a role that we in the state believe that it has to have a whole-of-state or whole-of-government approach. And the reason for that being, this is a responsibility from the state government that we need to own, discharge the duties that it takes to deliver that robust approach. Then the posture that is required to do threat hunting or the mediation of vulnerabilities or preparing that detection response approach from a whole-of-state allows us to be consistent across all agencies should there be a situation that we have to deal with in the future. With our centralized organization, it also allows us to have one central IT capability and security has to be a central capability because security is everyone's job. We've got to enable that education, training across the board, and that's kind of the whole-of-state security approach where we're starting with education, empowerment, understanding, and the deployment in a centralized way that allows us to know the threat hunting and the threat detection and then provide the response and the mediation plans as and when it shows up.
Dave Bitner: What are the practical implications of that? I mean, when we look at North Dakota as a state, you have pockets of sort of centralized population, but then there's a lot of folks dispersed over a wide area. What does that mean for you and your responsibilities to protect them?
Kuldip Mohanty: If you think about it, the composition of our state is very rural in nature. With rural, it comes with a lot of understanding or lack thereof in terms of what Internet connectivity means, how easy it is to get framed in phishing attempts or ransomware attacks or what have you from a data loss perspective. And many of our rural communities do not have the ability to even jump in and understand what security threat is. So with that whole-of-state approach, we have been good at developing the education, developing that broadband connectivity to allow people to connect to Internet, but also having our stage net infrastructure, which brings everything together, having the threat hunting at the place where everybody connects through allows us to be more responsive. Whereas, let's not just leave that responsibility back to the citizens. We have a responsibility for the state, and how do we discharge it in a more meaningful way?
Dave Bitner: Yeah, here at the conference, the presentation that you gave, I was impressed with some of the stats that you shared about how far ahead North Dakota is when it comes to connectivity to not just connecting people, but making sure that it's meaningful, that they have the speeds that they need to participate in today's community. I'm curious, are there things that are specific to North Dakota that present specific challenges, and are there things that are specific to North Dakota that also provide certain opportunities for someone in your position?
Kuldip Mohanty: Great question, Dave. I mean, the way I would address that is because we're rural in nature, the challenges are more about it doesn't impact them, so they don't care or they shouldn't care, right? Knowing that dynamic, how do we get in front of it? So being small and being very dispersed, it also is nimble for us, too. We can move mountains pretty quickly. Because of our density in certain larger metro areas, such as Bismarck or Fargo or Grand Forks, there are a lot of smaller communities. And knowing the fact that getting that outreach out there to smaller communities, starting to educate folks around what cyber can mean and the events like CyberCon or CyberMadness that we do for high school students, to bring that early awareness on cybersecurity and its importance and how it impacts everybody's life. Because that kid that comes to CyberMadness competition goes and talks to the community or talks to the parents and then word spreads. So creating that angels of information sharing through these high school kids and elementary school kids that allows us to improve that and the nimbleness comes to the process. Other thing is, our PK20W initiative is really geared towards driving cybersecurity and computer science education. Now, you cannot graduate out of high school unless you have cybersecurity and computer science as two required course curricula in your high school process. And that's something I don't know how many states do it today, but that's where we're trying to push it from grassroots. Not just a matter of talking about what is the art of possible from the whole of state, but also change that momentum all the way to the communities so it becomes a sustained effort and continues to keep us ahead of the curve.
Dave Bitner: I really think that's worth highlighting in that whole of state means that you are reaching kids through their whole educational journey. And that has to really yield good payoffs for this next generation of citizens who are coming up.
Kuldip Mohanty: Absolutely. And if you think about the projection of jobs today, as I mentioned earlier today, there are 71, 73 million jobs are going to be displaced, but there are 130 million jobs getting created. So how are you preparing the next generation of talent to be prepared to face the marketplace that they're walking into? Would the job be same as to what we are doing today? Likely not. There's a lot of automation, a lot of artificial intelligence, generative AI, which is going to take the mundane work out, which means you're more available to do more higher value at work. And how are we training them to prepare for the next generation? And that's the call to action for many of the leaders to really think about what else can we be doing at a state IT level to enable that education, allow people to see the art of possible, and also in the same vein, elevate and educate people to come on the journey and not show a hand up saying, okay, I'm not willing to go there because I don't know what to expect out of AI. The unknown is more scary than making it known. And our job is to make that unknown more of a known entity whereby there's a lot more willingness than a lot of refusal.
Dave Bitner: What are your aspirations? I mean, as you look towards the future, you've accomplished a lot, but I'm sure just in knowing you the brief amount of time I've known you, I think you want to accomplish more before your time here is done. What are some of the things that are on your list?
Kuldip Mohanty: The way I would start with the answer, David, is it's about citizens. It's about businesses that transact in the state. How do we provide government services and bring that consumerization philosophy back into public sector? We all as consumers in our personal lives are used to certain kind of experiences, certain kind of behaviors that we see around us. Why can't we expect that from government? Why does government have to be so complex? Why do we have to go and live on a paper-based environment? And those are the things I think those are areas that we all can aspire to. It's not going to be a sprint. It's going to be a marathon. But if we have the right focus, the right mindset and the right talent, which happens to be the key to unlocking a lot of the future success and an ecosystem of partners who are willing to come together to make that journey happen, nothing is impossible.
Dave Bitner: That's Kuldip Mohanty, Chief Information Officer for the state of North Dakota. Our thanks to him and all of the organizers of CyberCon, especially Conference Chair Troy Walker, for inviting us and being so welcoming. We'll be sharing more from that conference in the coming days. And I'm pleased to be joined once again by Betsy Carmelite. She is a principal at Booz Allen Hamilton for Cyber Defense Operations. Betsy, it is great to welcome you back. I want to talk today about the challenges that organizations face with hiring and this cyber talent pool, which never seems to be big enough. What are your thoughts here on this topic?
Betsy Carmelite: Just such an important topic to address short-term, immediate, long-term cyber workforce needs. So filling these hundreds of thousands of cyber job vacancies across our nation is a national security imperative. And we see the administration making generational investments to prepare our country to lead in the digital economy. And one of the biggest issues we see facing the cyber workforce is that self-limiting definition of experienced talent. And we need to increase the points of entries and expand our own surface area for talent discovery so that we're not putting such a boundary on the four-year degree program is essential and critical. That's just one entry point into a cyber career. And mandatory degree requirements often cause those unnecessary barriers to entry for top talent, excluding many promising candidates who have years or most recent practical experience working in the cyber field.
Dave Bitner: You know, I hear so many people express their frustration at this, that the job listings are unrealistic or you need to have five years of experience in the technology that's only been around for three. You know, those sorts of things. But then people are getting eliminated by automated systems. How do folks short circuit that so that so they get seen by the people who are doing the hiring?
Betsy Carmelite: Okay, so we saw some research from Handshake that found that rather solely focusing on a candidate's formal education or those requirements that you just mentioned, Dave, focusing on skills tripled the number of qualified veteran tech candidates and resulted in a significant increase in female and Black candidates. So just using that as an example. So I think we're seeing one of the strengths of this strategy is really looking at this skills-based assessment and looking at hiring to skill rather than a formal education. And skills assessments can allow organizations to look beyond candidate resumes, interviews and potential biases to measure actual real-world skills. And I think it's really important to focus on looking at the predictability for strong performance. What is the potential that the candidate has and the aptitude for these jobs? To your point, and I do a lot of hiring as well, I may not get that 100 percent resume or have that interview where the candidate hits every single need in my vacancy. But I'm looking for that potential for challenging the biases for groupthink for hiring, for candidates of many educational backgrounds where we can see that promise and that potential come through the future and open the door for that chance.
Dave Bitner: Is part of this making sure that the organization has the resources to train these people to the position? As you say, you know, someone might not come in perfect, fully baked, but that's okay because we can train them up and get them up to speed in a decent amount of time.
Betsy Carmelite: Yeah, and that's where really upskilling and understanding what sort of path we can we can put somebody on. So a couple of things there. We can see the validity and the strategy emphasizes this in a community college degree, two-year degrees, apprenticeships, rotations throughout an organization to gain exposure to different disciplines and cybersecurity and then access to certificate courses. Now, we know certificate courses aren't the be all to end all, but it does put candidates and existing employees in an upskilling situation where they're exposed to new things, which could then lead to, oh, I'd like to veer off into this field because it was really interesting and attractive to me when I took that course. So it can be that spark as well.
Dave Bitner: What about going outside of the strict cybersecurity field itself? You know, I remember I spoke to someone once who said that he liked to pursue jazz musicians, because as jazz musicians, they are skilled at collaboration and at solving problems in real time. And that that mindset when applied to cybersecurity, he found was quite successful. I mean, that's an interesting case, but is that the type of thinking that we should be applying here?
Betsy Carmelite: Yeah, I know we've talked previously in other segments, just, you know, where are the angles for problem solving in various education disciplines? You know, I interviewed and hired somebody in the last year who spoke just passionately about how they were part of like tech crew in theater and they learned how to operate all like the circuit boards and the lighting. And they knew nothing about that as a like a senior in high school or something like that. And I was like, wow, you figured that out all on your own and you probably had to do some technical apprenticeship and training alongside somebody to figure that out and be capable. So you know, I look for minds like that, too. I love the jazz musician example. The strategy also here stresses expanding the surface area of the talent pool by seeking out veterans, underserved and underrepresented communities and foreign-born talent to meet growing workforce demands. So those are starting points as well. But, you know, understanding definitely what are the career pathways and how can we dramatically and positively impact federal workforce challenges through also the hiring and pay authorities and reskilling initiatives that, you know, I just mentioned before. A lot of these careers are not linear ladders that we saw in earlier decades, broad portfolios of multiple career experiences. I look at my own career. I would never say that I'm the typical cyber expert. I came out of undergrad with a liberal arts degree, studied linguistics, foreign languages, you know, but then I look at my career now and I've worked in cybersecurity and commercial, federal, the intelligence community spaces. And that really provides a different view across a broad range of paths that I can follow, that I can still follow. So just stressing that that typical cyber expert does not exist. The best ones come from a wide variety of backgrounds and experiences.
Dave Bitner: Yeah, absolutely. All right. Well, Betsy Carmelite is a principal at Booz Allen Hamilton for cyber defense operations. Betsy, thanks so much for joining us. And that's this CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliott Pelzmann. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.