Trump vs Krebs and the Sound of Silence
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Airlock Digital.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Founding CISA director Chris Krebs has been forced out of a senior executive position at SentinelOne by a presidential memorandum that targeted him by name. It's an extraordinary attack on a former public servant that makes Americans less safe.
President Donald Trump's memo last week ordered a federal investigation into Krebs and revoked his security clearance. It also targeted his employer by suspending all clearances held by SentinelOne employees. Krebs was chief intelligence and public policy officer there and has been a regular guest on the Risky Business podcast.
While anecdotally there is broad support for Krebs, most cyber security firms have not stuck their heads above the parapet this week. It's disappointing, but we understand why. Unlike the legal profession, which has also been targeted by the Trump administration, the industry has no oath tying them to uphold the Constitution and the rights of citizens. There is no vital interest that they must defend. Most organisations feel there is simply more to lose than there is to gain.
Krebs is being targeted because he did his job — securing the 2020 election. Politico describes the history of Trump's beef with Krebs:
Krebs, who was the administration’s top cybersecurity official responsible for election security, was fired by Trump via tweet after he had asserted shortly after President Joe Biden's victory in 2020 that "in every case of which we are aware, these claims [of fraud] either have been unsubstantiated or are technically incoherent." He had also authorized a joint statement by CISA and other stakeholder groups that said the election was secure and that there was no indication of votes being changed or stolen, which angered Trump.
He was also a key witness for the Jan. 6 select committee, describing his efforts to secure the 2020 election and rebut conspiracy theories about the election and shore up voters' confidence in the results. In his interview, he lamented that Republican leaders had catered to the false notion that the election was stolen, creating a "self-reinforcing cycle" of doubt. "Republican officials, senior officials, including the former President, lied to the American people about the security of the 2020 election," he told the panel.
This week's escalation of that beef is alarming. Writing in support of Krebs, Katie Moussouris, CEO of Luta Security and former member of the Cyber Safety Review Board, pointed out that "…targeting a former government employee for doing their job and broadening it to their current employer half a decade later will have a chilling effect that makes us all less safe". She continued:
Companies will hesitate to hire former government cybersecurity experts, depriving the private sector of their much-needed experience and perspective, and the federal government will have an even harder time attracting and retaining top cybersecurity talent.
National security cannot afford to lose either side of that talent exchange as we face growing threats that need experienced and knowledgeable cybersecurity professionals in both the public and private sectors. We must do what we can to stem the damage from this action.
On the Risky Business podcast Rob Joyce, former Cybersecurity Director at NSA, agreed, saying "this clash really blurs politics and cybersecurity".
"So that, to me, makes all of us less safe," he continued.
Although the memorandum purports to "promote the free speech rights of Americans", it has the exact opposite effect. As we previously mentioned, very few in the cyber security industry have commented on the incident for fear of retribution from the White House.
But how should the industry respond?
It's worth remembering that this memo isn't an isolated action. It is just one part of a wider campaign to punish Trump's perceived political enemies. Separate executive orders the same day took aim at Miles Taylor, chief of staff at the Department of Homeland Security during Trump's first term, and law firm Susman Godfrey.
These orders come hot on the heels of other executive branch actions that punished major law firms for representing clients Trump doesn’t like. At least five firms have offered substantial concessions to avoid being singled out by White House sanctions that could include the potential loss of federal government contracts. Three firms have filed lawsuits in response to the orders. Per MSNBC:
Three firms, Perkins [Coie], WilmerHale and Jenner & Block, have filed lawsuits and obtained temporary restraining orders. Three different judges have found a substantial likelihood of success on the merits of their claims that the orders violate the Constitution. Amicus briefs supporting Perkins Coie have been signed by more than 500 law firms and a number of prominent former senior government officials, including officials who were appointed by Republican presidents such as former FBI and CIA Director William Webster and retired Judge J. Michael Luttig.
The action against Krebs may not be an all-out assault on the cyber security industry, but that doesn't mean it should sit idly by. But as much as we'd love to see the industry speak out, it's unlikely to happen.
The US constitution provides a system of checks and balances that is designed to prevent the executive from exercising unreasonable power. For now, Congress seems unwilling to hold the executive branch accountable, so we expect to hear the same thing from all the major industry players: crickets.
Depressing.
China's "Volt Typhoon Admission" Is as Clear as Mud
The US government believes that China's leadership is aware of and endorses Volt Typhoon's activities in US critical infrastructure. We are not so sure.
Volt Typhoon is particularly concerning because it appears China is prepositioning itself to disrupt US critical infrastructure in the event of a military conflict. This week, The Wall Street Journal reported that Chinese officials privately admitted to being behind the campaign to US officials. This is a big deal.
The report centers on a secret meeting held in December last year in Geneva between Chinese and American officials.
The report is a fascinating insight into what goes on in these kinds of meetings. The US wanted to use the opportunity to assert to China that prepositioning in civilian infrastructure was unacceptable. Another goal was to make sure China's political and military leadership were actually aware of Volt Typhoon's activities in the first place. American officials were unsure if Beijing really understood what was happening so decided to brief them on their own hacking campaigns.
In the US system it is inconceivable that senior leadership would not know about hacking-for-sabotage efforts targeting Chinese critical infrastructure, for example. And Chinese state-sponsored actors are almost certainly responsible for Volt Typhoon's activities.
With that in mind, let's look at the big admission reported by The Wall Street Journal:
During the half-day meeting in Geneva, Wang Lei, a top cyber official with China’s Ministry of Foreign Affairs, indicated that the infrastructure hacks resulted from the U.S.'s military backing of Taiwan, an island Beijing claims as its own, according to current and former U.S. officials familiar with the conversation.
Wang or the other Chinese officials didn't directly state that China was responsible for the hacking, the U.S. officials said. But American officials present and others later briefed on the meeting perceived the comments as confirmation of Beijing's role and was intended to scare the U.S. from involving itself if a conflict erupts in the Taiwan Strait.
So let's get this straight: The WSJ report says a former US official said most of the American delegation interpreted the comments as a tacit admission and a warning to the US about Taiwan.
To us, this is unconvincing. The Chinese representative's comments sound exactly like the bellicose rhetoric that is expected of officials when standing up for the country's interests. So we're still not sure that the officials in the meeting were actually read in on the Volt Typhoon campaign. There's a good chance they were just doing some old fashioned tub thumping.
Regardless, it's clear the US government now believes China is not only aware of, but endorses the activity of, Volt Typhoon. The US will now treat the campaign as an action endorsed by the highest levels of Chinese leadership, and that feels like an escalation.
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- US joins Pall Mall agreement against abusive spyware: The State Department has said it will sign a voluntary and non-binding Code of Practice to regulate commercial spyware. Last week 21 countries signed up to the Code which was developed over the last year in an international diplomatic effort known as the Pall Mall Process. It's not clear why the US did not sign up earlier.
- To CVE or not to CVE: Just one day after the MITRE corporation warned that US government funding for the Common Vulnerabilities and Exposures (CVE) program was expiring, a new non-profit organisation has stepped up to (hopefully) fill the breach. The CVE Foundation formally launched yesterday to "ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures Program".
- When hacking crosswalks is joyful: Crosswalk buttons in Silicon Valley were hacked over the weekend to play audio snippets that imitate the voices of Mark Zuckerberg and Elon Musk. It's not exactly good news, but it does make us cheerful. TechCrunch's reporting includes videos of the hacked crosswalks and it is delightful.
Sponsor Section
In this Risky Bulletin sponsor interview David Cottingham and Peter Baussman, Airlock Digital’s CEO and CTO, talk to Tom Uren about new Australian Cyber Security Centre guidance about building defensible networks. The pair cover what they like about the document and where it could be improved.
In this product demo Airlock Digital co-founders Daniel Schell and David Cottingham show Risky Business host Patrick Gray around the latest version of the company's allowlisting software.
Shorts
Ransomware Insurance Pays off… for Criminals
New research has found that ransom payments are a lot higher when the victim company is insured.
The finding is based on analysis of over 500 ransomware incidents which took place from 2019 to 2023. Tom Meurs, a cybercrime specialist in the Dutch police, found that companies with ransomware insurance pay 2.8 times higher ransoms on average. He says that ransomware actors actively search for insurance policy documents. If they find them, it gives them a better bargaining position to demand higher ransoms.
In better news for the companies, though, those with well-designed backup systems that cannot be modified by ransomware actors are less likely to pay a ransom.
What to Do About Submarine Cables
We've been wondering what to make of all the submarine cable breaks in the news and it turns out a former colleague of mine, Jocelinn Kang, recently wrote a short primer.
One key message is that while deliberate sabotage is suspected as a cause of cable breaks, there has never been firm evidence. In the Baltic, one region of particular concern, the number of cable faults has risen in line with the increase in maritime traffic, suggesting accidental rather than deliberate acts.
Still, that's no reason to be complacent. Accidental breaks demonstrate the vulnerability of seafloor infrastructure, which also includes power cables, energy pipelines and sensor networks.
Kang references a range of responses from different governments but notes that "attribution remains difficult — which means deterrence is too". Just like cyber.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the idea of global critical infrastructure. One common example is submarine cables, which are globally important but are vulnerable because they are hard to defend. But what about services from tech giants? Are they global critical infrastructure?
Or watch it on YouTube!
From Risky Bulletin:
CA/B Forum approves 47-days TLS certs: The CA/Browser Forum passed a ballot to reduce the maximum validity of TLS certificates from the current 398 days to just 47 days by 2029.
The ballot passed without opposition, with 28 votes in favor and five abstainers.
The reduction will take place across three phases between March next year and March 2029.
The maximum lifespan of a TLS certificate will be reduced to 200 days next March, 100 days in March 2027, and finally to 47 days for all certificates issued after March 15, 2029.
[more on Risky Bulletin]
Chinese APT abuses Windows Sandbox to go invisible on infected hosts: A Chinese cyber-espionage group named MirrorFace (aka Earth Kasha, APT10) is abusing the Windows Sandbox virtual environment to hide the execution of its malware on infected systems.
Attacks incorporating Windows Sandbox have been taking place since 2023 and represent the first known case of Windows Sandbox abuse since its release in December 2018.
As the name hints, the feature allows Windows users to start an isolated sandbox where they can temporarily install/test apps and then shut down the virtual environment without impacting the main OS and their data.
[more on Risky Bulletin]
AI slopsquatting... it's coming! Security firms, open-source experts, and academics are warning about a new supply chain vector they're calling slopsquatting.
The technique's name is a combination of terms like AI slop and typosquatting.
It revolves around the increasing use of AI coding tools to generate blocks of source code that may sometimes make their way into production systems.
https://mastodon.social/@andrewnez/114302875075999244
A recent academic paper that analyzed 16 AI coding models found that these tools generate shoddy code that often includes and loads packages and libraries that don't exist.
[more on Risky Bulletin]
