Push notifications pushing surveillance.

Dave Bittner: Governments target push notification metadata. Dissecting the latest GRU cyber activities. A look at Russia's AI-powered Doppelgänger influence campaigns, and how cyber warfare is evolving beyond the battlefield. We've got updates on the Adobe ColdFusion vulnerability, the expanding 23andMe data breach, and insights into the financial impacts of ransomware. Our guest is Camille Stewart Gloster, Deputy National Cyber Director for Technology & Ecosystem Security from the Office of the National Cyber Director at the White House. Plus, discover how the TSA is embracing AI for future security.

Dave Bittner: Today is December 6, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Governments spying on Apple, Google users through push notifications

Dave Bittner: We begin today with news from Reuters that U.S. Senator Ron Wyden has raised concerns about governments using smartphone app push notifications for surveillance. In a letter to the Department of Justice, he indicated that foreign officials were requesting data from Google and Apple. This method of surveillance takes advantage of the fact that most push notifications for emails, messages, or updates, pass through Google and Apple's servers. This access provides these companies, and potentially governments, with insights into app usage and user interactions.

Dave Bittner: Wyden urged the Department of Justice to revise policies that restrict public discussion of this surveillance method. Apple responded, stating that the letter allows them to disclose more about government monitoring of push notifications. Previously, they were prohibited from sharing this information but now plan to update their transparency reports accordingly.

Dave Bittner: The Department of Justice and Google have not commented on the issue. The letter's claims are based on a tip, confirmed by a source familiar with the matter, who revealed that both foreign and U.S. agencies have sought metadata related to push notifications to link anonymous app users to specific Apple or Google accounts. The foreign governments involved are described as U.S. allies and democracies, but they were not specifically identified.

Dave Bittner: This surveillance practice has gone largely unnoticed by most users. However, concerns have been raised about the inherent privacy issues, as highlighted by French developer David Libeau earlier this year. He labeled push notifications as a "privacy nightmare" due to the data emission to U.S. tech giants, underscoring the need for awareness and transparency in how apps handle user data and interact with large technology companies.

Russia's Doppelgänger influence operators experiment with AI.

Dave Bittner: Recorded Future's Insikt Group has observed an evolution in Russia's Doppelgänger influence operation, which now utilizes generative AI to create fake news and opinion stories on a large scale. This operation, targeting audiences in Ukraine, Germany, and the US, disseminates typical Russian propaganda themes such as anti-LGBTQ messages, criticism of US military competence, highlighting US political divisions, and pointing out German social and economic issues. According to CyberScoop, while this AI-driven disinformation campaign has achieved only limited success, its use of advanced technology to mass-produce false content represents a significant development in the field of digital propaganda and misinformation.

Cyber phases of hybrid wars spread beyond the theaters of operation.

Dave Bittner: The conflicts in Ukraine and between Hamas and Israel demonstrate the growing role of cyberspace in warfare, as outlined in a CSO essay. This "spillover" into cyberspace requires security teams to be vigilant against cyberattacks. The essay stresses the importance of sound risk management practices for both public and private sectors, urging cybersecurity teams to adapt to changing geopolitical landscapes through simulation and information sharing.

Dave Bittner: Notably, external states like Iran have exploited vulnerabilities, such as in US utilities' PLCs. In Russia's hybrid warfare, state security services and auxiliary hacktivist and criminal groups, like Fancy Bear, play active roles in cyberattacks.

Dave Bittner: A crucial lesson from these conflicts is the need for public-private cooperation in cybersecurity. An example is Dragos's Community Defense Program, which supports small utilities with training and information-sharing, especially in water and power sectors, highlighting collaboration as a key defense against evolving cyber threats. 

CISA warns of Adobe ColdFusion exploitation.

Dave Bittner: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Cybersecurity Advisory (CSA) confirming the exploitation of a vulnerability in Adobe ColdFusion, within a Federal Civilian Executive Branch (FCEB) agency. This vulnerability allows for arbitrary code execution due to improper access control. The advisory details two incidents in June where Microsoft Defender for Endpoint (MDE) detected potential exploitation on public-facing web servers of two unnamed agencies. These incidents are believed to be reconnaissance efforts aimed at mapping the agencies' networks for potential further exploitation. The identity of the attackers, or whether the same threat actor was involved in both cases, remains unknown.

Dave Bittner: CISA's advisory includes risk mitigation recommendations applicable to both FCEB agencies and general users of ColdFusion: update software, network segmentation, enforcement of signed software execution policies, and firewall usage. 

23andMe data incident increases in scope.

Dave Bittner: 23andMe, the DNA and  ancestry-tracing firm, recently amended its Form 8K filed with the SEC, revealing a more extensive breach than initially reported. Originally disclosed as a credential-stuffing attack affecting 0.1% of user accounts, the breach actually exposed data on approximately 6.9 million individuals. The attackers gained access through reused customer passwords and then accessed files related to the DNA Relatives feature, sharing some users' ancestry profile information online.

Dave Bittner: The compromised data, now offered for sale on BreachForums, includes display names, sex, birth year, and general genetic ancestry information. Fortunately, no actual genetic data was compromised. The stolen information, while not highly valuable, could potentially be used in affinity scams, exploiting shared cultural or ethnic backgrounds to deceive victims.

Dave Bittner: This incident highlights the risks of password reuse and the broader implications of data breaches, where even seemingly innocuous information can be manipulated for social engineering schemes.

Average losses to ransomware attacks.

Dave Bittner: Claroty's survey on ransomware attacks in the industrial sector reveals that 75% of organizations faced such attacks in the past year. Alarmingly, of those affected, 69% paid the ransom, and over half (54%) of these companies experienced financial repercussions exceeding $100,000 USD. The survey also highlights that 45% of respondents consider TSA Security Directives as having the most significant impact on their security priorities and investments. These findings underscore the widespread and costly impact of ransomware attacks in the industrial sector and the importance of adhering to stringent security measures and standards.

A snapshot of the state of DevSecOps.

Dave Bittner: A report from Cycode on application security posture management (ASPM) reveals a notable trend in the AppSec field, where teams are overwhelmed by the abundance of security tools. The study found that 95% of AppSec teams use over 20 different security tools, and 70% have more than 40 tools at their disposal. However, this proliferation of tools is not necessarily beneficial. In fact, 78% of surveyed security professionals find managing multiple security tools challenging, indicating that the excessive number of tools contributes to a sense of being overwhelmed rather than improving security efficacy. This data highlights a critical issue in the application security domain, where the complexity of security tool management can impede effective security operations.

The current state of LockBit's criminal operations.

Dave Bittner: ZeroFox's analysis of the LockBit ransomware-as-a-service operation reveals that it accounted for 25% of all ransomware and digital extortion (R&DE) attacks in North America in 2023. The study predicts that LockBit will increasingly target North American entities in the upcoming quarters, maintaining its position as the primary R&DE threat in the region. The frequency of these attacks is expected to remain high, with the proportion of LockBit attacks in North America likely surpassing the global average. This forecast underscores the growing concern over LockBit's activities and its significant impact on North American cybersecurity.

Dave Bittner: Our guest today is Camille Stewart Gloster. Camille is the Deputy National Cyber Director in Technology & Ecosystem Security at the White House’s Office of the National Cyber Director. Camille talks with me about her views on women in cybersecurity, their efforts in diversity, equity and inclusion and what she sees for the future 

Dave Bittner: Coming up after the break, my conversation with Camille Stewart Gloster, Deputy National Cyber Director in Technology & Ecosystem Security at the White House's Office of the National Cyber Director. Stay with us. Camille is the Deputy National Cyber Director for Technology & Ecosystem Security at the White House's Office of the National Cyber Director. Which is to say, she has a very important and influential seat at the table at the White House, advising and advocating on cybersecurity policy. We're grateful that she agreed to spend some time with us and to describe her efforts, starting with where she believes we stand with cyber at this particular moment in time.

Camille Stewart Gloster: We are at an inflection point. We have -- I mean, the President talks about this decisive decade and putting out so much policy and work into building out our workforce in general, and specifically focused on cyber. In the National Cyber Workforce and Education Strategy, we've released all this money that has been focused on building out our infrastructure through the CHIPS Act and the bipartisan infrastructure law, et cetera. But all of those things call out a special focus on the workforce, and part of that workforce is cyber workforce. And so these monumental investments provide us an opportunity to really be intentional about how we make investments, how we bring people along for the journey, and how we build out a workforce that can be responsive to the changing technological needs that we have as a society. Technology underpins everything and it is a great opportunity to amplify the best and the worst of what's going on, and if we lean into focusing on that best, that means bringing every perspective to bear on the challenges and opportunities present. And so making sure that women are a part of that and making sure diverse communities are a part of that has to be something we need to be intentional about.

Dave Bittner: As someone who has that behind-the-scenes seat at the table there among your colleagues at the White House, can you give us some insights as to what the process is like? How does President Biden and the folks working with him -- how do they make sure that they're being intentional and really making a difference when it comes to these efforts toward diversity and equity?

Camille Stewart Gloster: I mean, there are a number of different components within the executive office of the President that are focused on different groups. So we've got the Gender Policy Council, you know, we have cyber, which already has a mandate across diversity, we have initiatives like the White House API Initiative. And the President has been really intentional about standing up initiatives, groups, policy councils focused on demographics that need additional support or investment. And so we come together quite a bit, whether it's in the name of cyber workforce, or we're thinking about CHIP, so we're thinking about bipartisan infrastructure law. How do we bring our specific expertise to bear in service of those communities, in service of the whole? So there's a real coming together of experts who focus on gender every day and focus on these communities every day and then on that content area.

Dave Bittner: For the folks in our audience, how do you recommend that they best interface with these programs that the White House is putting out there?

Camille Stewart Gloster: So we're really excited because the implementation of the National Cyber Workforce and Education Strategy is multifaceted. There is a federal component, for sure, but most of the work, quite frankly, is focused on non-profits, private sector, state and local, academia. All of the partners that help build out a broader technological ecosystem or workforce ecosystem. And so in support of that, we have been doing a lot of work to understand how different organizations want to implement the workforce strategy, to provide tools to help do that, and to get out into burgeoning ecosystems, to strong ecosystems, to help spark, support, or elevate good work going on across the nation. And internationally, for that matter. And so there are a lot of opportunities to plug in. You can go to whitehouse.gov/cyberworkforce and take a look at some of the work that we've been doing. You can invite us to come to your cyber workforce ecosystem, if there is one, or if you think there should be one and need some support. And then also we do a lot of direct one-to-one engagement to understand the programs that are working, how they can scale, and really be able to spread best practices and lessons learned throughout the community.

Dave Bittner: There's certainly been a lot that the administration has achieved. What do you see coming here? Are there things on your list that you hope we get done as we look towards the horizon?

Camille Stewart Gloster: Yeah, a focus on data has been a priority for me. I think there's been a clamoring from [inaudible 00:15:32] to really understand the cyber workforce better. Where are there gaps? What programs are working? Should we focus on retention or recruitment? Should we focus on mid-career, early career, later in your career? So I think really understanding the data will be helpful. We've got a lot of new technologies emerging. One of the things that we were intentional about when writing the National Cyber Workforce and Education Strategy was making it technology agnostic, much like the National Cybersecurity Strategy. And so as we think about the AI workforce, the quantum workforce, all of these burgeoning technologies that will change the very nature of how we operate. And then, of course, of work. Applying this strategy to those areas and seeing how the work that we are investing in now will create the agility to be responsive to the new skill sets that are necessary to answer the call to understanding the changing landscape. I'm really excited about the investment that we're making there and the collaboration across groups that will help facilitate effectively doing that. Building that agility. Those are two things I'm really excited about.

Dave Bittner: What is your message to that person who's considering a move into cybersecurity? And I'm specifically, you know, thinking about maybe that young woman who's coming out from school, or maybe someone who's considering a career shift. Do you have any words of wisdom or thoughts of encouragement?

Camille Stewart Gloster: Yes. Join us. Whatever your skill set is, whether you were exploring a variety of things in school or you are thinking about transitioning your career. Cybersecurity is a multidisciplinary space where, whether you are very technical or you have a focus on marketing or a focus on the law or society or psychology, whatever, there is an opportunity to blend that with the technical acumen to be able to understand how technology shows up in the lives of people. It's impact on people, society, governments and be able to contribute to what is increasingly becoming an underlying calculus in every decision that we make, right? And so do not ever self-select out. If you think that you don't want to be a technologist, you don't have to be. You don't have to be an engineer to work in cybersecurity. There's probably a way for you to leverage that skill set, that insight that you have about a different industry, a different community, and overlay that with cybersecurity knowledge and be a contributing member of this ecosystem. And I will also mention that there are a lot of good-paying jobs in this space, and so you will be paid and rewarded for all of your hard work and expertise.

Dave Bittner: That's Camille Stewart Gloster, Deputy National Cyber Director for Technology & Ecosystem Security from the Office of the National Cyber Director. And finally, the Transportation Security Administration, the TSA, is gearing up to integrate artificial intelligence across its operations, aiming to enhance passenger screening and threat detection. Kristin Ruiz, deputy CIO of TSA, spoke about the future of U.S. travel powered by AI advancements during the GovAI Summit in Arlington, Virginia. The agency envisions using AI to refine baggage scanning with advanced image recognition and improve training through generative AI and simulation technologies. Last year, TSA's identity management roadmap highlighted the potential of digital identity, AI, machine learning, and blockchain for efficient identity management solutions. This aligns with the agency's ongoing use of AI for facial recognition and machine learning in screening processes at airports. Ruiz discussed AI applications that could reduce redundancies for TSA agents and offer travelers a smoother experience, including pre-processed baggage scans and streamlined, contactless identification methods. The TSA's move towards AI integration in travel security isn't just a flight of fancy, it's a tech-savvy leap towards ensuring that the future of flying is as smooth as an automated baggage carousel. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. Please take a few minutes and submit the survey in the show notes. Your feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.