Director of National Intelligence to Monitor Commercial Spyware Industry

PLUS: Why TSA's pipeline regulations may fail and how rooftop solar became critical infrastructure.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Director of National Intelligence to Monitor Commercial Spyware Industry

Commercial spyware providers such as NSO Group are now firmly in the political crosshairs.

On Wednesday this week the US House of Representatives Intelligence Committee held an open hearing into commercial cyber surveillance. And last week the Intelligence Authorisation Act (IAA), which includes several anti-spyware provisions, passed the House Intelligence Committee with bipartisan support. (The Washington Post and CyberScoop both have excellent reporting on this.)

It's hard to see that some of these provisions — even if they do make it through to the final version of the Intelligence Authorisation Act — will make much of a dent to the spyware firms of concern. One provision, for example, allows the DNI to ban contracts with foreign firms making surveillance technology, which seems like a stick that won't ever be used.

Mercenary spyware vendors won't be looking to the US government as a possible client to begin with, and companies with significant US government contracts will be very careful to avoid providing their services and products to regimes with a past history of abuse for fear of irritating their biggest customers.

Other draft provisions look like they'll be more effective. The act would allow the President to impose sanctions on firms posing a national security risk to the US, which should encourage tighter oversight by vendors. Best of all, we think, is the requirement for the DNI to produce an annual assessment of foreign commercial spyware.

These provisions essentially ask the question of the intelligence community, "how much should we worry about foreign commercial spyware?" while in the meantime telling foreign spyware firms "don't do bad stuff".

This is good because it will bring foreign spyware providers into the intelligence community's scope. The DNI requirement will force the IC to actually pay attention to foreign spyware providers. Until now, the wider IC hasn't really had much of a reason to pay close attention.

It's easy to think of reasons that NSO Group and its ilk should be of interest to intelligence organisations.

The NSA and Cyber Command may want to know what type of exploits these companies have up their sleeves, for example. Or perhaps the wider IC would like to understand who exactly is being targeted with commercial spyware tools and by whom.

It's easy to see how the commercial spyware issue flew under the natsec radar for years. As long as companies like NSO stuck to a purported exclusive focus on criminal and terrorist targets it didn't represent any kind of threat to US national security interests.

That lawmakers have proposed anti-spyware provisions indicates that foreign commercial spyware is no longer a minor national security problem — it's now a minor national security problem with significant political interest attached. That's a good thing, because the spyware business is booming.

At its peak NSO Group alone was valued at nearly USD$1bn with annual revenues of nearly USD$250m. And while NSO Group is struggling in the wake of US sanctions, there will always be industry players that will push boundaries for cash. This week, for example, news broke that Israeli firm Candiru was using a Chrome 0day to target users including journalists in the Middle East. Also this week Microsoft released research claiming exploits developed by an Austrian company have been used against targets in Central America, the UK, Panama and Austria itself. And on Wednesday Shane Huntley, of Alphabet's Threat Analysis Group, in written testimony to the House Intelligence Committee, described an array of commercial spyware and hack-for-hire operators. The hacker-for-hire industry is evolving and growing.

An annual DNI assessment may not seem like a big deal, but it is the best first step towards reigning in the industry as a whole. Applying pressure to make the industry gear itself towards criminal and counter terrorism investigations rather than political threats is good. Staying on top of this will require constant effort over time as the industry changes and evolves.

Legislators' options are limited, but these annual DNI assessments will provide the executive branch with the information it needs to make decisions about how to address any issues as they pop up.

TSA Pipeline Regulations Won't Fix Sector's Skill Shortage

Last Thursday, the US Transportation Security Administration (TSA) unveiled revised oil and natural gas pipeline cyber security directives to lukewarm approval after the original directives from July last year were broadly panned by industry and experts. But this feel-good news story — initially flawed government regulation being improved after a receptive regulator listened to stakeholders — hides a deeper, more worrying truth. The depth of workforce expertise to improve critical infrastructure (CI) cyber security just doesn't exist, and despite increasing threats to the energy pipeline sector, there are no quick fixes.

Marty Edwards, Deputy CTO for OT/IoT at Tenable, told Seriously Risky Business praised the TSA for listening "to feedback provided by industry" and moving from prescriptive requirements towards a "more objective set of achievable requirements".

"This is an incredibly difficult balance to try to get right, and from my perspective, the TSA has done a reasonable job with this new set of security measures," he said.

Writing down some rules on a piece of paper is one thing, but Patrick Miller, CEO of Ampere Industrial Security and a former electricity sector regulator, fears there isn't enough cyber security expertise in the sector as a whole — including in the TSA — to impose and implement effective regulation quickly.

Miller's view is that although regulators tend to aim for perfect regulation, he "would rather have a mediocre, or ok, or even crappy regulation in the hands of a seasoned regulator, a regulator that knows what they are doing and knows how to measure, knows how to monitor… It's not really about the standard, but how you are going to measure it… the bigger challenge is how you monitor and enforce that standard".

Unfortunately, Miller's view is that regulatory expertise doesn't exist in the TSA and can't be employed any time soon.

"There's not enough people out there who can do this already, and the few that can are happily handcuffed with gold handcuffs to a utility, or are at a consulting firm making more money than they probably should," he says. To get appropriately qualified people is "near impossible on a government salary," he says, and he's "frightened for what the measurement is going to look like".

Despite also thinking that the short-term result of imposing regulation will be "a cluster", Miller firmly believes regulation should be implemented. "Doing something is important because if it doesn't work we figure that part out. And not doing something is worse, so even though it is going to be a cluster we should still definitely do it. It's very important."

When IoT Devices Become Critical Infrastructure

Horrendously bad security at Solarman, a Chinese company that provides remote management and monitoring of rooftop solar panels, shows that standards for what is considered critical infrastructure need to evolve as energy generation becomes more distributed.

Rooftop solar installations often have inbuilt proprietary remote monitoring capabilities accessible via web browser and a variety of brands connect to Solarman's monitoring backend. These brands, including Solarman, Solis, Omnik, and Ginlong, are widely distributed in China, Australia and the Netherlands. Rooftop solar owners and installers use these types of systems to monitor system production and check for faults.

Jelle Ursem, a security researcher at the Dutch Institute for Vulnerability Disclosure (DIVD), found that Solarman's web platform administrator password was exposed in a GitHub repository. This "Super Administrator" account gave Ursem access to all customer data (including GPS coordinates of the installation) and also the ability to upload new firmware to devices. It's easy to imagine scenarios where uploading firmware disrupts electricity production. There are over 40,000 installations of Solarman devices in the Netherlands alone.

After the vendor was informed of the snafu, the password (a Chinese name followed by '123') was relatively quickly changed, but for some inexplicable reason later changed back to the original password in the GitHub repo. This time, however, notifying the vendor directly had no effect and the issue was eventually resolved after some months by escalating it through Dutch diplomatic channels to China's CERT.

As distributed energy generation such as rooftop solar becomes a relatively more important part of energy generation, at what point do these types of vulnerabilities need the same scrutiny as critical infrastructure? A single rooftop solar installation is inconsequential, but what if rooftop solar makes up 10% of your energy supply? Or 20%? Or more? Including wind turbines, which could be susceptible to similar issues, South Australia regularly gets more than half its electricity from sources that could be vulnerable to these kinds of attacks.

What is an appropriate regulatory regime? Current critical infrastructure legislation is focussed on individually significant assets owned by a small number of organisations. This isn't appropriate for rooftop solar, but this doesn't make the potential concern about deliberate or even accidental disruption go away. Dutch members of parliament have asked the government to examine the possible national security risk.

Three Reasons to be Cheerful this Week:

  1. Doxxing cybercriminals: The person behind the pancak3stack twitter account has created a substack newsletter doxxing cyber crime operators. The posts include photos, various ID numbers and dates of birth. Making criminals' lives harder seems like a good thing.
  2. Happy Birthday to No More Ransom!: The No More Ransom initiative celebrated its sixth anniversary this week. The Europol, Dutch police and IT security collaboration started with just four decryption tools and now has 136 free tools for 165 ransomware variants. These tools have been downloaded over 10 million times and have helped over 1.5 million people decrypt files without paying a ransom.
  3. Belgium takes on China: Last week the Belgian government called on Chinese authorities "to take action against malicious cyber activities undertaken by Chinese actors". The statement from the Minister for Foreign Affairs specifically mentioned specific groups including Gallium and APT27, 30 and 31. We applaud their solo official attribution, although we (and others) are wondering what international norms the Chinese hackers broke.

Running a Global Vulnerability Management Program with Nucleus

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Scott Kuffer shows Patrick Gray the ins and outs of Nucleus Security. Nucleus is a platform that ingests the scan outputs from a number of vulnerability identification tools, normalises that information and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.

You can subscribe to our product demo page on YouTube here.


US Privacy Legislation Closer, Yet Further

The American Data Privacy and Protection Act (ADPPA), a US federal data protection law progressing through Congress contains some features we approve of. Wired examines the ADPPA's focus on data minimisation:

Generally, companies would only be allowed to collect and make use of user data if it’s necessary for one of 17 permitted purposes spelled out in the bill — things like authenticating users, preventing fraud, and completing transactions.

This data collection also needs to be "reasonably necessary and proportionate" although of course the devil is in the detail — one of the permitted purposes is to deliver targeted advertising.  Adults, however, would be able to opt out of targeted ads and targeting of people under 17 would be prohibited. So, all in all, some reason for optimism.

Unfortunately, it looks like the bill won't pass, at least in its current form. Senator Maria Cantwell, the chair of the Senate Commerce Committee doesn't back it.

Squaring the Child Safety and Encryption Circle

Crispin Robinson and Ian Levy, technical directors of the GCHQ's cryptanalysis function and the UK's NCSC, have released a paper on reconciling encryption and child safety online. They argue that child safety or encryption are not binary opposites and that online harms occur in a variety of ways that can be at least somewhat mitigated without compromising end-to-end encryption. The full paper is quite long, but the authors have also published a Lawfare post.

DHS' War on Disinfo, Round Two

CyberScoop has an excellent article on US DHS efforts to tackle disinformation. The key takeaway is that most government agencies should tackle disinformation by promoting its opposites: transparency, free speech, civil rights, civil liberties and privacy.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunes or Spotify) also has interesting interviews.

How the Belarus Cyber Partisans Got Good

In this interview, The Grugq and Seriously Risky Business author Tom Uren discuss the evolution of the Belarus Cyber Partisans. The group first emerged in 2019 to zero fanfare when its early campaigns fell flat. But its tactics have improved and these days it’s giving the Belarusian government some serious headaches.

It has disrupted railways, infiltrated intelligence agencies and stolen massive government databases and troves of Belarusian audio intercepts including Interior Ministry intercepts from foreign embassies in Belarus. But how did they evolve into an effective group?

Tom and The Grugq think it’s because they’ve independently reinvented how professional intelligence agencies do business and are reinventing the intelligence cycle, which encompasses planning, collection, processing and exploitation, analysis and dissemination. The Cyber Partisans started with collection and exploitation but have more recently invested in analysis and dissemination, turning raw intelligence into something that will have impact.

Upgrading Auth in the Middle of a War

Catalin Cimpanu has a fascinating interview with Yuriy Ackermann, VP of War Efforts at Hideez, about deploying tens of thousands of Yubikeys in the midst of the Russian invasion. In the invasion, Ackermann says "the difference between security [and] insecurity is [the difference] between somebody dying and somebody living".

This kind of urgency means the Yubikeys are being deployed quickly, but it still takes time to get things right when rolling them out. One hurdle, for example, has been educating decision makers about FIDO, Yubikeys and the ongoing licensing model (free!). Hideez wants to deploy 100,000 keys to Ukraine.

From Risky Biz News:

Underground bots for stealing OTPs: Recorded Future has a report on the avalanche of automated bots offered in underground cybercrime communities that can be used to bypass one-time-passcodes (OTPs) for various online services.

Attack on Italy's tax agency: The operators of the LockBit ransomware gang claimed to have breached, encrypted, and stolen data from Italy's tax and revenue agency. However, Sogei, the Italian IT company that services the Italian government, denied LockBit's claims and said in a statement that "no cyberattacks have occurred or data stolen from the financial administration's technological platforms and infrastructure." [Additional coverage in The Record]