First in The Cybersecurity 202: CISA snags ‘Mudge’ for ‘secure by design’ role
Famed hacker and Twitter whistleblower Peiter “Mudge” Zatko is joining the Cybersecurity and Infrastructure Security Agency with an emphasis on helping its campaign to push software manufacturers to bake security into their products while they’re being developed, The Cybersecurity 202 is first reporting.
Zatko begins in a part-time role this week as a “senior technical advisor.” It’s a high-profile hire for the Biden administration’s focus on products that are “secure by design,” a key component of this year’s National Cybersecurity Strategy as well as CISA’s strategic plan.
“Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country,” CISA Director Jen Easterly said in a written statement. “The National Cybersecurity Strategy and CISA’s Strategic Plan call for a fundamental cultural shift in which cybersecurity accountability is principally borne by technology vendors rather than customers and by business leaders rather than security professionals.”
- “To enable this shift, we need team members with extraordinary expertise to help us identify the right levers and lead the hard conversations,” Easterly continued. “That’s why we’re so excited to welcome Mudge to the CISA team — a legendary security researcher, CISO, and visionary.”
Zatko was a prominent member of the groundbreaking L0pht hacking collective. In 1998, seven of its members testified before a Senate committee in one of the first-ever congressional cybersecurity hearings, where they delivered urgent — and prophetic — warnings about security vulnerabilities.
It’s his second go-round in the federal government, following a stint at the Defense Advanced Research Projects Agency from 2010 to 2013.
“I am honored to formally return to public service and work with CISA on the critical cybersecurity issues we face, including enabling secure-by-design principles to be accessible, measurable, and adopted by government and industry alike,” Zatko said in a written statement.
- “Cybersecurity has been the mechanism through which I have had impact,” he said. “Through this I have devoted my life to moving the field forward by way of transparency, education, and innovation. I have endeavored to do this irrespective of being in the public sector, private sector, nonprofit, through technical contributions, or in executive and leadership positions. I look forward to continuing my mission to serve everyone the best I can.”
His wide-ranging career recently took another turn when, a little more than a year ago, he filed a whistleblower complaint against Twitter with the Securities and Exchange Commission, Justice Department and Federal Trade Commission. He alleged that executives at Twitter — where he had served as security chief for less than two years — deceived federal regulators about “extreme, egregious deficiencies” at the social media platform and violated the terms of a security agreement with the FTC, as my colleagues Joseph Menn, Elizabeth Dwoskin and Cat Zakrzewski reported.
The allegations saw him return to testify before the Senate.
“It doesn’t matter who has keys if you don’t have any locks on the doors,” he told lawmakers on the Senate Judiciary Committee last September. “It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”
Most recently, he has been serving as “executive in residence” with the cybersecurity company Rapid7.
Zatko’s experience dovetails with the Biden administration’s crusade (with CISA playing a key role) for manufacturers to develop products that are secure by design and secure by default — the latter meaning that they are secure “out of the box” and requiring no additional cost.
“Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance,” the National Cybersecurity Strategy reads.
CISA’s strategic plan, meanwhile, says, “We recognize that technology products must be designed and developed in a manner that prioritizes security, ensures strong controls by default, and reduces the prevalence of exploitable vulnerabilities.”
Since the administration released its overall strategy, CISA and two other federal agencies joined forces with several allied foreign governments to release a voluntary “principles and approaches” document on how to implement secure by default and secure by design.
CISA recently teamed up with Microsoft to announce that the tech giant would expand free logging services following a hacking campaign that breached the company’s cloud-based email system to claim victims at the State and Commerce departments, among others.
Easterly said earlier this year that Congress should pass legislation to hold software manufacturers legally liable for the insecurity of their products. It’s an issue lawmakers have barely scratched the surface on, despite security professionals making decades of calls to act. It might take another year or more for legislation to even emerge, according to Biden administration officials.
House GOP members sound off on new SEC cyber disclosure rule
A trio of House Republicans alleges that a recently approved cyber incident disclosure rule from the Securities and Exchange Commission is duplicative and confusing and compromises the confidentiality of firms’ cybersecurity programs. The lawmakers are urging the agency to delay the rule, which is set to take effect this week, according to a letter sent Friday.
The missive addressed to SEC Chair Gary Gensler, from House Homeland Security Committee members Andrew R. Garbarino (N.Y.) and Mark Green (Tenn.), as well as Rep. Zachary Nunn (Iowa), a member of the House Financial Services Committee, argues that the rule goes against efforts to standardize cyber incident disclosure reporting for critical infrastructure entities.
- The SEC in July voted to approve a rule that would require publicly traded companies to report major cyber incidents within four days once it is determined that the hack is significant enough to affect investors’ decisions.
- The triad argues that the disclosures “are in direct conflict” with provisions in the 2022 Cyber Incident Reporting for Critical Infrastructure Act, which requires the Cybersecurity and Infrastructure Security Agency to craft rules requiring entities to report certain cyber incidents within 72 hours from the time the entity believes the hack occurred.
“It is unfathomable that the SEC is moving forward with its public disclosure requirements, which will only increase cybersecurity risk, without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” the letter says.
While Republicans and some industry representatives argue the rule means requiring disclosure of too much highly sensitive information (a thematic concern among opponents of Biden-era cyber regulations), supporters view the measure as a way for investors to gain more transparency into firms’ cybersecurity practices and incentivize organizations to protect themselves further while alerting others of potential large-scale cyberthreats.
The SEC did not immediately respond to a request for comment.
Raimondo complained to Chinese officials about being hacked
Commerce Secretary Gina Raimondo, on a trip to China this past week, complained to officials in Beijing about a recent hack that breached her Microsoft email account, Politico’s Katherine Long reports.
“They did hack me, which was unappreciated, to say the least. I brought it up, clearly. Put it right on the table,” she told host Chuck Todd on NBC’s “Meet the Press.” She “did not pull any punches” on other national security concerns, she added.
- She said that hacking her account “erodes trust” between China and the United States. The hack also compromised the accounts of U.S. Ambassador to China Nicholas Burns and Assistant Secretary of State for East Asia Daniel Kritenbrink.
- The hack came at a crucial moment in U.S.-China relations, as Raimondo and other Cabinet members make trips to Beijing in an attempt to stabilize trade, business and security relations with the nation.
- In a related development, China’s Huawei announced the rollout of a new smartphone that was timed to Raimondo’s visit. The move has signaled to some that U.S. restrictions that aim to stifle Beijing’s access to AI chips and other cutting-edge hardware are being circumvented.
China-linked hackers since May have leveraged a digital key and a now-resolved code flaw to break into the emails of U.S. government agencies and other clients. The incident has put Microsoft in hot water and has led some officials and policymakers to question whether the United States is over-reliant on the tech giant’s services.
Northern Ireland police chief resigns following major data incident
Northern Ireland’s police chief, Simon Byrne, resigned after weeks of pressure following an incident in which the personal data of all of the police force’s officers was accidentally released, Olivia Fletcher reports for Bloomberg News.
Fletcher writes: “Byrne stepped down after an emergency meeting of the Northern Ireland Policing Board on Monday, having previously refused to do so in the face of a no-confidence motion submitted by the Democratic Unionist Party following the mistaken release of officers’ personal information.”
The Police Service of Northern Ireland was responding to a Freedom of Information request last month when a staffer gave the surnames, initials, ranks or grade, and work locations of all 10,000 of its police officers and civilian employees. The data was publicly available for several hours, and PSNI officials urged anyone with the information to delete it immediately.
- Since the incident, the PSNI has been aggressively searching for those who have held onto the leaked data. One man was arrested and charged last month with two terrorism offenses connected to possessing documents from the breach.
- Byrne confirmed that dissidents have access to the information, and he said he fears it will be used to intimidate and target police, Sky News reported at the time. Sectarian violence in the region decreased heavily following a 1998 treaty, though dissident groups still target police officers.
‘Excited and terrified’: On a high-stakes trip to China, Gina Raimondo confronts a complex future (The Information)
Why Trump’s vow to appeal his D.C. trial date probably won’t work (Devlin Barrett)
Staying on alert for after-hours cyberattacks (Axios)
Why is .US being used to phish so many of us? (Krebs on Security)
Why the West is concerned about the UN cybercrime treaty (Semafor)
Hackers push anti-Iranian government messages to millions via breached app (CyberScoop)
Saudi dissident’s brother is sentenced to death in social media case (New York Times)
Meta identifies Iran and Turkey’s network of ‘adversarial threat’ (Jerusalem Post)
Huawei teardown shows chip breakthrough in blow to US sanctions (Bloomberg News)
Musk’s new Twitter policies helped spread Russian propaganda, E.U. says (Joseph Menn)
Britain sets priorities for November global AI safety summit (Reuters)
Maker of ‘smart’ chastity cage left users’ emails, passwords, and locations exposed (TechCrunch)
Freecycle confirms massive data breach impacting 7 million users (Bleeping Computer)
Barracuda patch bypassed by novel malware from China-linked threat group (Cybersecurity Dive)
The endless battle to banish the world’s most notorious stalker website (Nitasha Tiku)
X, formerly known as Twitter, may collect your biometric data and job history (CNN)
- Jen Easterly, Anne Neuberger, Kemba Walden and other U.S. cyber officials speak at the Billington Cybersecurity Summit in D.C. throughout this week.
- DHS Undersecretary for Intelligence and Analysis Kenneth Wainstein speaks with the Atlantic Council tomorrow at 11:30 a.m.
- The Institute of World Politics convenes a cyber intelligence seminar tomorrow at 6 p.m.
Thanks for reading. See you tomorrow.