Air Force. Navy. Army. Cyber Force?

PLUS: Biden's Spyware EO Formalises Status Quo

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Keyboard warrior, Midjourney

A professional association for military cyber professionals, the MCPA, is calling on Congress to establish a 7th branch of the armed services, a US Cyber Force.

The formal request, a single page, is a bit light on and the justification is contained in a single paragraph:

For over a decade, each service has taken their own approach to providing United States Cyber Command forces to employ and the predictable results remain inconsistent readiness and effectiveness. Only a service, with all its trappings, can provide the level of focus needed to achieve optimal results in their given domain. This is why we have a Navy, for example, that heavily invests in manning, training, and equipping to fight and win at sea. Cyberspace, being highly contested and increasingly so, is the only domain of conflict without an aligned service. How much longer will our citizenry endure this unnecessary risk?

That's it, and we are not convinced.

When it comes to the other six services there are a lot of specialist skills that aren't necessary outside the military. The letter cites, for example, the Navy's role to "fight and win at sea", and for most of the services it's the "fight" part that is unique. Civilians fly planes and sail boats and drive vehicles, but mostly they don't fight while they do it.

That's not really the case in the cyber domain, where there is huge overlap between civilian and military jobs. In part, that explains why people often migrate from cyber-related intelligence roles directly into private industry. The skills aren't unique, but Cyber Command's mission and authorities are.

The cyber domain is also all-pervasive — all services need to defend themselves and cyber operations are relevant to them all to a greater or lesser degree. Carving the cyber workforce off into its own branch would weaken each service.

In some ways Cyber Command reminds us of US Transportation Command. Logistics are vitally important, all services rely on it when it comes to getting what they need to fight, but it isn't its own service. Of course, USTRANSCOM doesn't have THE CYBER's sizzle, but try fighting a war without it!

The Record also notes there is "currently no political will within the Biden administration to create a seventh military branch".

Biden's Spyware EO Formalises Status Quo

The Biden administration has issued an executive order to clamp down on commercial spyware that targets US interests or is used to facilitate human rights abuses. It's a good move but it doesn't do much more than formalise the current status quo.

In the words of the fact sheet, the order prohibits the federal government from:

…operationally using commercial spyware tools that pose significant counterintelligence or security risks to the U.S. Government or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses.

It then goes on to list what kind of behaviour is not acceptable, including spying on the US government or its citizens, using spyware against activists to curb free expression, and use by governments that repress their own citizens.

Part of the order also requires that the Director of National Intelligence (DNI) produce a regular classified intelligence assessment that examines foreign commercial spyware for these red flags to "facilitate effective interagency coordination". There are a range of law enforcement and intelligence agencies who might want to legitimately use foreign commercial spyware, but someone has to figure out who is on the naughty list.

Although a lot of media coverage has focussed on the executive order restricting the government's use of these hacking tools, we think most of the vendors of concern weren't seeing the US as a big market in the first place.

NSO Group, for example, had large contracts with authoritarian governments but just nibbles from US federal agencies. At its peak NSO had annual revenues of USD$250m, so it was doing just fine without large US contracts.

The order complements or mirrors legislative initiatives we've written about before in this year's draft Intelligence Authorization Act (IAA). It requires that the DNI report to Congress about foreign commercial spyware and gives the DNI the power to prohibit purchases by the intelligence community. So, there are some minor differences in scope, but both the executive order and the IAA use similar methods to try and achieve the same goal.

The IAA trumps the executive order in one respect and grants the President the power to impose sanctions on spyware companies if they pose a counterintelligence risk. We are fans of this sanction power in part because it doesn't seem that US government contracts were ever really a goal for bad spyware vendors.

When we first examined the IAA last July we felt that the requirement for an annual DNI report on foreign commercial spyware was the most significant element. The US government needs to know who the bad vendors are before it can hit them with the sanction stick.

Unlike the IAA provisions, the Biden EO is very US-centric. But we're hoping it will inspire similar actions in other places. The European Union, for example, has become a spyware hotbed and regulations there are lagging.

As reported by Risky Biz News, an EU committee examining spyware found that Cyprus and Bulgaria serve as "export hubs for spyware" and several EU member states use spyware irresponsibly or even for systemic repression.

We hope the EO and the IAA actions will give European policymakers a kick in the pants, at least in terms of showing them what's possible. We also hope the USA will release unclassified versions of the DNI's spyware "naughty list" so policymakers in other countries can benefit from it.

Sunshine is the best disinfectant, as they say.

UK's NHS Gets Its Own Cyber Strategy

The UK government has released its healthcare system cyber security strategy. As far as strategies go it's fine, but the success of these things always depends on being able to lift them off the page and put them into practice.

The UK's National Health Service (NHS) is huge, with over 1.2m employees, so it is definitely big enough to deserve its own strategy. The NHS was also a high-profile victim of the WannaCry ransomware-slash-wiper attack in 2017.

The strategy aims to cover not just the NHS but the entire health and social care system including independent providers and suppliers across the sector.

At the helicopter view the strategy can be summarised as "let's work together on the most important things". It's got the obligatory pillars, five in this case, and includes things like prioritisation and risk management, culture change, and building security into everything. It's pretty much what you'd expect, but it does a good job saying what the government wants to achieve and how it'll do it.

One of the elements we like is in the fifth pillar, "Exemplary response and recovery", where the plan is to "investigate and report on 'lessons learnt' from cyber events to drive improvements". Our experience is that people improve security at one of two times — either after they've personally been through a terrible security incident or they hear from someone else who has. Given the sheer size of the NHS and the health sector, there should be lots of terrible incidents to learn from.

The strategy also identifies room for improvement when it comes to sharing lessons from disasters.

James Sullivan, Director of Cyber research at RUSI, told Seriously Risky Business the strategy is "ambitious and aspirational, but as always the key will be in its implementation". He pointed out some key challenges were the UK's "limited cyber workforce" and legacy technology.

"A large portion of the systems used by the NHS are outdated and no longer supported", he said.

The strategy lists ransomware as the health system's top threat but only briefly mentions insider threats and the possibility of "state actors seeking to access sensitive information". This part feels underdone. Sullivan thought this was because "the UK really has not got a grip on the ransomware threat, rather than neglecting other threats".

The strategy is a good one, but the NHS is a massive organisation. Change will take time.

Three Reasons to be Cheerful this Week:

  1. Microsoft to block emails from outdated Exchange servers: Microsoft plans to throttle and block email from "persistently vulnerable" exchange servers. This seems unlike Microsoft, which tends to let things rot for eternity. But having the guts to get rid of outdated cruft is a security win. Risky Biz News has more coverage.
  2. CYBERCOM is here to help: US Cyber Command confirmed it helped the Albanian government recover from Iranian cyberattacks conducted last summer. It deployed a "Hunt Forward team in collaboration with Albania to conduct network defense activities alongside the partner nation to identify, monitor, and analyze adversary tactics, techniques, and procedures". Cyber Command spends a lot of time and effort convincing partners about the value and benefit of these operations.
  3. Australian BEC arrests: The Australian Federal Police arrested four members of an alleged BEC syndicate. They are accused of laundering more that AUD$1.7m. Risky Biz News has more coverage.

Seriously Risky Business is supported by the Hewlett Foundation's Cyber Initiative and  corporate sponsor Proofpoint.

Tines No-code Automation For Security Teams

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In this video demo, Tines CEO and co-founder, Eoin Hinchy, demonstrates the Tines automation platform to host Patrick Gray.


Linus Tech Tips Rolls Incident Response

Popular technology YouTube channel Linus Tech Tips was hacked and its owner, Linus Sebastian, has since published a good post-mortem of what happened, including suggesting mitigations for both creators and YouTube. It's a good explanation of this kind of attack and the angst it caused.

The channel was compromised after an employee opened what appeared to be a sponsorship offer pdf that contained malware that stole browser session cookies, which allowed the attackers to control the channel. Even though the channel was using multi-factor authentication it didn't help as the attackers didn't need to login.

This type of attack isn't new, and Google's own TAG wrote about YouTube cookie theft back in late 2021, but the story illustrates how there are trade-offs between security and ease of use. YouTube could make security more robust — Sebastian's video makes several suggestions such as requiring authentication for channel actions such as changing name or bulk deletion of videos — but it appears that they've decided the user pain caused by tighter security isn't worth it.

In practice this means that instead of more onerous security requirements, big channels get personal support to recover — Sebastian says it took "about half an hour" to receive a response from Google after reaching out. Obviously, this personalised support doesn't scale to all of YouTube.

It's worth noting that in contrast Meta is taking a different approach by trialling "Meta Verified", where users pay to get better support.

Guacamaya Speaks!

The Record has an interesting interview with Guacamaya, a South American hacktivist group that has been on a tear in recent months. It most recently uncovered evidence of Mexican government abuse of NSO Group spyware. We think they are genuine hacktivists.

There are some gems in the interview. When asked about appearing to have a feminist bent, Guacamaya replied: "Yes, it is true, for western and westernised culture it is 'novel' that women exist as beings, as political subjects… as if the feminine were not the very basis of life."

DPRK Finds New Ways to Launder Cryptocurrency

North Korean group APT43 has been using stolen cryptocurrency to pay to mine new cryptocurrency according to a new Mandiant report. The idea here is that the cryptocurrency the group gets back is "clean" because it is newly minted. Wired has a good write-up.

Paying A Ransom Is Not An Excuse

Just a reminder that paying a ransom doesn't magically improve an organisation's security. The UK's Information Commissioner's Office and the NCSC have issued a joint letter to "share some key messages with the legal profession". It's just so British:

It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.

Meanwhile, across the pond, New York's attorney general has fined a law firm USD$200,000 after sensitive hospital data was stolen from it. The law firm had paid a USD$100,000 ransom.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at what the real problem with TikTok is.

From Risky Biz News:

Team Synacktiv wins a Tesla and a cool half mil at Pwn2Own 2023: French cybersecurity firm Synacktiv has won this year's Pwn2Own hacking contest after dominating the competition with six successful exploits that brought its researchers a cool half mil ($530,000), the biggest award ever raked in by one contestant in Pwn2Own's history.

[more at Risky Biz News]

Iran receives Russian cyber-weapons: The Russian government is supplying advanced cyber weapons to Iran. The deal is part of an exchange where Iran has provided Russia with drones and ammunition to be used in its war in Ukraine. Sources who spoke with the Wall Street Journal say the Tehran regime has received advanced software to hack the phones and systems of dissidents and adversaries. In addition, Russia has provided Iran with equipment and software for internet censorship and allow Tehran officials to monitor, intercept, redirect, or degrade the mobile communications of its citizens.

Ransomware in February: Security firm NCC Group says the LockBit ransomware group accounted for the vast majority of ransomware attacks that took place in February 2023, with 129 ransomware attacks out of a total of 240. It marks a 150% spike in the group's activity compared to January when it hit only 50 victims.