Five things I’m reading this week:
Spyware: Abuse, Surveillance, and Stalking, but with a Much More Pleasant Name: A recent dump by two anonymous hackers of data captured by users of two prominent spyware companies confirms what most of us already knew. By and large, these tools (malware that can be installed onto a phone to capture and relay communications through that phone back to a peeping tom) are mostly used by spouses to spy on their partners.
Often, the spy claims they did it to catch their spouse cheating. At other times, it’s ex-spouses using these tools to stalk and abuse a partner who is trying to get away from them. Either way, the tools are regularly installed in violation of the law, and the providers rely on only the thinnest of legal language to claim that they shouldn’t be liable.
At a much more fundamental level, these are some of the most disturbing cybersecurity threats because the intrusions here are painfully, terrifyingly personal. This isn’t about intellectual property theft or corporate espionage. By-and-large, it’s about one person using technology to spy on and threaten another. It’s about that scary text in the middle of the night telling an abused spouse “I know where you are.”
In other words, it doesn’t feel like “cybercrime.” It feels like violence. These are the same tools and techniques we see elsewhere, but the cruelty behind their use drives home an essential point: cyber-enabled operations aren’t an end, they’re a means to an end. And any tool that can be used for corporate goals can just as easily enable infinitely more personal ones.
You Can’t Protect What You Don’t Understand: Exhibit 963: A recent automated analysis run by DHS across the federal government, and paired with a good, old-fashioned survey, recently revealed a striking statistic. On average, federal agencies had 44 percent more devices on their networks than they realized. In other words, the environments that these security teams were tasked to secure turned out to be, on average, almost twice as large as they realized.
The devices included everything from printers and PCs, televisions and thermostats, to personal devices like Xboxes. But what they are is only a tiny part of the story. The real story is that this is just another example of large organizations with massive data stores not knowing what they’re being tasked to protect.
I sometimes wonder how many more ways we need to be confronted by this reality before it stops being surprising. In every other discipline of security, going back millennia and up to the modern day, understanding and controlling the geography of the conflict is the essential foundation. It is a necessary precondition to everything else, because we know that blind security isn’t secure. But in cybersecurity, we persist in ignoring this simple truth: if we don’t understand what we’re protecting, we can’t protect it. This should be the largest center of research and innovation in cybersecurity today – because nothing else comes close to the foundational importance of this challenge.
I'm reading: "DHS cyber tool finds huge amount of ‘shadow IT’ in U.S. agencies."
Fausse Nouvelle: With the French elections just a few days away, the Russian fake news machine is churning along at full power. One study out of the UK found that, in a survey conducted between November 1 and April 19, almost one in four of the links shared on French social media related to fake news – and yes, most of it favored anti-EU candidates with platforms aligned with Kremlin priorities. The survey also identified a “growing gap” among French citizens, meaning that people increasingly did not agree on basic facts.
Sound familiar? It should be no surprise that after such success during the US elections, Russia would continue to ply its influence trade across Western Europe. This is the next big test of our communal ability to maintain a coherent discourse in the face of rampant, targeted media hacking. And make no mistake, this is as serious a threat as we face today. Democracy is founded on the principle of engaged discourse among citizens. If our discourse continues to deteriorate – which is exactly what these influence operations seem designed to do – our democracy will be left standing in quicksand.
Part of this is human nature. We love conspiracies, mistrust those we disagree with, and lies are always easier to propagate than truth. But some of it is also about security. The astonishing ease with which astounding, private, secret information is routinely exposed has created a world where everyone is ready to believe anything. Our bankrupt cybersecurity has essentially primed the pump for influence operations.
We are unlikely to change fundamental human nature any time soon (although there are things that should be done to help combat media hacking directly). But if we could right our cybersecurity posture, we might take some of the wind out of the sails of these efforts. And if there’s a deeper reason why we as a society need to get serious about cybersecurity, confront the misconceptions that have left us so far behind, and do the work required to correct them, I don’t know what it is.
I'm reading: "Russia-linked fake news floods French social media."
The march of cybersecurity regulation continues, as a Hong Kong regulator begins the process of tightening security controls around its financial sector after a series of intrusions led to $14.2 million in losses for Hong Kong stock brokers over the past 18 months. There will be more and more of these.
Senator Wyden is pushing to mandate that two-factor authentication is required for Senate staffers accessing their official accounts within the Senate. This would follow wide deployment of 2-FA within the executive branch. The more broadly we can get two-factor deployed within government (and beyond), the better off we’re going to be. More of this, please.
I'm reading: "Wyden pushing to mandate 'basic cybersecurity' for Senate."