The year in cyber – The Washington Post | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Welcome to The Cybersecurity 202! And some important news right off the bat … 

PROGRAMMING NOTE: This will be the final edition of The Cybersecurity 202. It’s been wonderful bringing you our best cyber news and analysis, and we really enjoyed hearing all the feedback and encouragement from our readers over the years.

You’ll still be able to find smart policy coverage here on The Post’s Technology page. And starting in January, you’ll receive The Technology 202, which analyzes the intersection of technology and politics to help you make sense of Silicon Valley and Washington.

And let’s stay in touch. You can follow Tim on Bluesky; Mastodon; Threads and X, formerly Twitter. You can follow David on X.

A look back at the year in cybersecurity trends

As this is simultaneously the last Cybersecurity 202 of the year/ever, let’s end with a look back at the 2023 that was … 

We’re putting “policy” first on this list, keeping in mind that by its nature it’ll overlap with a lot of what comes after. Heck, maybe some of it doesn’t even fit here. Enough meta. Into the meat.

Strategy. Early 2023 brought an unusual national cybersecurity strategy from the Biden administration, the kind of document that’s usually about boring platitudes but signaled a major change (already underway, to an extent) toward shifting the regulatory, legal and practical burden from users to providers. 

Regulation. Speaking of regulation: The administration acted on its regulatory agenda in several areas, from air to water to publicly traded companies. The Securities and Exchange Commission rules proved especially controversial, while water security rules hit a dead end amid a court challenge.

Section 702. The debate over expiring surveillance powers — hailed by national security officials as vital to responding to cyberattacks (and more) but criticized by privacy advocates — ended in a stalemate. The rules have been extended through April 19, but the fight over them in 2023 shaped some of the battle lines ahead.

Spyware. Spyware use expanded into bold new areas in 2023, from a Russian journalist to the U.S. Congress to countries it hadn’t been seen in before. The Biden administration put out an executive order on spyware and sanctioned other spyware makers, even as action stymied in other parts of the world.

CISA. The Cybersecurity and Infrastructure Security Agency stayed plenty busy doing, well, a little bit of everything, some of which we linked to already and will sprinkle throughout the rest of the wrap-up. But it also got entangled (along with the FBI) in a court case about social media, disinformation and censorship that has risen to the Supreme Court. That case has spilled over on Capitol Hill, with some Republicans growing hostile toward the agency.

People matter in cyber, certainly as it pertains to the vast number of unfilled jobs in the field. But change at the top matters, too, and there were some important shifts.

National cyber director. The very first national cyber director, Chris Inglis, departed amid talk of acrimony between leading administration cyber figures. His acting replacement, Kemba Walden, had gotten good reviews but ended up not getting the full-time gig for reasons that confounded our sources. Instead, Harry Coker will become the second permanent national cyber director after a long delay, following action from Congress in late 2023.

National Security Agency/Cyber Command. Gen. Paul Nakasone has led the NSA and Cyber Command since 2018, and after signaling his exit, stayed in the role for a while longer as a senator placed a hold on all top military nominees. This week, Lt. Gen. Timothy Haugh got cleared to take over for Nakasone.

Remember how ransomware’s rocket-like ascent slowed in 2022? Well… 

MOVEit. We only wrote the top part of the newsletter about the MOVEit attack a few times, so perhaps we’re as much to blame as anyone about it not getting as much attention as I think it deserves. But, yeah, it’s maybe the biggest ransomware attack ever. Let’s say it again: maybe the biggest ever.

Disruptions. Despite the numbers being back up again — the final tally won’t be done for a few weeks, but all signs point to a major jump in the number of attacks from last year — the Biden administration’s approach to disruption and international coordination netted some gains against the gangs.

The international picture

There’s plenty to say about attacks against big targets overseas in 2023 or activity from some of the usual big suspects, but let’s just talk about a couple of international developments.

China. Whatever the state of China-U.S. relations, China showed signs of being emboldened in cyberspace. That’s according to U.S. officials, but also suggested in its willingness to go after critical infrastructure and government networks, as well as innovate with influence operations.

Cyberwar. Perhaps cyber hasn’t played a defining role in Russia’s war with Ukraine or the Israel-Hamas war, but it has played a meaningful one. There’s been enough of it to lead to some proposals about rules of cyber conduct amid war.

Election threats are maybe more of a 2024 thing than a 2023 thing, but that doesn’t mean there wasn’t important news this year.

Insiders. As we’ve seen with election security, sometimes the threat comes from the inside. Court documents shed light on the degree to which some GOP operatives had allegedly caused security threats.

Election lies. Election lies proved very costly for their purveyors in 2023, and more cases are still in the works. Whether it’ll change anyone’s behavior is the question.

Election threats. There were some direct election threats that made news in 2023 despite it being less of an election year in most places — see what happened with the development in the United Kingdom, for instance, or the influence campaign ahead of Taiwan’s elections, or even some of the past week’s news in the United States.

Welcome to an obligatory catchall section of any list like this, but at least it’s grouped by theme, right?

Edge devices. The MOVEit attack illustrated how hackers were increasingly (but not unprecedentedly) looking at getting into tech, including “edge devices,” that would allow them to hit a range of targets.

Distributed denial-of-service attacks. Fine, this one isn’t so much about “other tech,” but it had to go somewhere. The (allegedly) lowly DDOS attack had itself quite a year, Including its own “biggest-ever.”

Crypto. Crypto theft is still costing people a lot of money. The Biden administration took some steps in 2023 to combat crypto tools as mechanisms for obscuring ill-gotten gains from crimes like cyberattacks.

Artificial intelligence. It’s a buzzword everywhere, and it figures into the plans of cybersecurity companies themselves. But at least for now, generative AI has proven too nascent to have as big an impact on the negative side of the ledger in 2023 compared with where it might go in the future.

Pentagon’s cloud project off to slow start amid security concerns

A year after the Pentagon divvied up a new $9 billion contract among four major tech vendors to modernize its cloud infrastructure, less than 2 percent of the earmarked money has been committed, amid concerns that the cloud isn’t secure enough for military use, our colleague Eva Dou reports.

Amazon, Google, Microsoft and Oracle were grouped together to bolster the Defense Department’s cloud frameworks after Microsoft’s win of an earlier contract was challenged in court by Amazon and Oracle. 

  • “Concerns remain over the security of cloud systems following a high-profile hack over the summer of Microsoft’s cloud by Chinese cyberspies, who managed to infiltrate the email accounts of Commerce Secretary Gina Raimondo and other U.S. officials,” Eva writes.

At the same time, some experts contend that the delays could affect U.S. military competitiveness. 

  • “The time that we lost with JEDI was really painful because you need a computing structure to train AI models,” former Defense Department technology official Paul Scharre told Eva, referring to the current contract’s predecessor, the Joint Enterprise Defense Infrastructure. “DoD needs to have that cloud infrastructure in place to move forward on AI.”

CIA dodges some claims in dismissed Assange spying lawsuit

A Manhattan federal judge dismissed a lawsuit filed by two lawyers and two journalists that accused the CIA of spying on them and copying content from their electronic devices when they met with WikiLeaks founder Julian Assange, Law360’s Elliot Weld reports.

Weld writes: “U.S. District Judge John Koeltl on Tuesday dismissed a Fourth Amendment claim against former CIA director Mike Pompeo and claims against the CIA regarding its alleged surveillance of the plaintiffs’ conversations with Assange and photographs of their passports and devices.”

  • Assange is in London trying to appeal against an extradition to the United States, where he is wanted for criminal charges connected to a leak of sensitive U.S. military documents. He took refuge at the Ecuadorian Embassy in London in 2012 and spent years there before being taken to Belmarsh Prison, where he remains. 
  • The report continues, “The plaintiffs allege that while they were visiting Assange in the Ecuadorian embassy in London, they were forced to turn over all electronic devices to the Spanish security firm Undercover Global. The firm allegedly copied information stored in the devices without the plaintiffs’ knowledge and sent it to the CIA.”

“On the plaintiffs’ claims related to recordings of their conversations with Assange, Judge Koeltl said they had not shown ‘an actual, subjective expectation of privacy’ with respect to those conversations,” Weld writes. Koeltl, however, also said the CIA violated reasonable expectations of privacy when the agency copied their devices.

“We are thrilled that the court rejected the CIA’s efforts to silence the plaintiffs, who merely seek to expose the CIA’s attempt to carry out Pompeo’s vendetta against WikiLeaks,” plaintiff attorney Richard Roth from the Roth Law Firm said in a statement to Law360. The CIA did not immediately respond to the outlet’s comment request.

CISA wants feedback on secure-by-design guidelines (MeriTalk)

Arizona’s secretary of state is already sick of election conspiracy theories (WIRED)

Why hack in “Leave the World Behind” is chilling but unlikely (Bloomberg News)

How verified accounts on X thrive while spreading misinformation about the Israel-Hamas conflict (Pro Publica)

TikTok parent ByteDance says it’s using OpenAI technology to test its own AI models (CNN)

Under new bill, U.K. police would be able to run face recognition searches on 50 million driving license holders (The Guardian)

Ukraine’s Kyivstar says it is fully operational after cyber attack (Reuters)

German police take down Kingdom Market, a darknet emporium of illicit goods (The Record)

Chinese traders and Moroccan ports: How Russia flouts global tech bans (New York Times)

Yahoo Survivor Football bug let players pick winners after NFL games were over (The Record)

Health-care software provider data breach impacts 2.7 million (Bleeping Computer)

Google’s location data move will reshape geofence warrant use (Bloomberg Law)

Inside the police force scouring the internet to save abused children (Politico)

The obscure Google deal that defines America’s broken privacy protections (WIRED)


Click Here For The Original Source.

National Cyber Security