Expect More Covert Action Under Trump

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Kroll.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Predicting Trump’s second-term moves is a mug’s game, but here’s our best guess: cybersecurity policy initiatives will be sensible but unambitious, while the intelligence community (IC) will be asked to carry out bold—and maybe even bonkers—operations.

This is based on our examination of Trump's first term which, from a narrow cyber security perspective, was just fine. 

In 2017, for example, Trump issued an executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and expanded on this in 2018 with the release of a National Cyber Strategy. These were both sensible efforts, not as ambitious as the Biden administration's 2023 strategy, but entirely appropriate for the time. 

In 2018 Trump issued an executive order intended to deter foreign actors from interfering with US elections. Another sensible step, and President Biden continued this order in September this year. 

These examples reflect Trump's lack of interest in cyber security issues. As long as they didn't cut across his vital concerns, experts in government could craft policy that was sensible, albeit pedestrian. At times this required careful wording. For example, in its second paragraph, Trump's 2018 executive order on imposing sanctions for interfering in a US election said:

Although  there  has  been  no  evidence  of  a  foreign  power  altering  the  outcome  or  vote  tabulation  in  any  United  States  election,  foreign  powers  have  historically  sought  to  exploit  America’s  free  and  open  political  system.

There is no evidence that foreign interference in the vote-counting machinery of elections has changed a result, but many people would argue that Russian interference on social media and via hack and leak operations swung the 2016 Presidential election in Trump's favour. The truth here is unknowable, but this was certainly a sore spot for Trump. The key thing is that with some fairly straightforward wordsmithing, the order's authors were able to work around the President's sensitivities to get good policy implemented. 

We expect that in Trump's second term there will be good people in the government continuing to push sensible, albeit incremental, policy reform.

However, from an IC perspective, there is good evidence that the incoming Trump administration will push for far more audacious or maybe even outlandish operations.  

Partly, this is because it appears that  key selection criteria for political appointees in Trump's second term is personal loyalty coupled with the ability to defend Trump on television, rather than in-depth subject matter expertise. Nominations announced so far include Tulsi Gabbard as Director of National Intelligence, Pete Hegseth as Secretary of Defense, and John Ratcliffe as CIA Director. 

In his first term, at the more reasonable end of the spectrum, Trump issued National Security Presidential Memorandum-13 (NSPM-13), a policy intended to remove procedural barriers to the authorisation of Department of Defense offensive cyber operations. In other words,  more aggressive Cyber Command (CYBERCOM) offensive operations, more often. 

Former US Cyber Command General Counsel, Gary Corn, said the policy prior to NSPM-13 was "a process that was notorious for reinforcing indecision" and John Bolton, Trump's national security advisor said the offensive cyber operations "interagency [consultation] process was frozen solid". 

When the Biden administration reviewed NSPM-13 it was dialled back slightly to give the State Department limited ability to provide input into cyber operations, so on balance this policy initiative was a positive. 

However, there are a few stories from Trump's first term that are frankly, bonkers. 

One, reported by Zach Dorfman writing for Yahoo News in 2021, involved the Australian WikiLeaks founder Julian Assange when he was holed up in the Ecuadorian embassy in London. After WikiLeaks published 'Vault 7' documents sourced from the CIA, Trump-appointed CIA Director Mike Pompeo wanted aggressive action against the organisation and designated it a "a non-state hostile intelligence service". This designation formally allowed the CIA to take more aggressive actions against WikiLeaks, including disrupting the group. Per Yahoo News:

At meetings between senior Trump administration officials after WikiLeaks started publishing the Vault 7 materials, Pompeo began discussing kidnapping Assange, according to four former officials. While the notion of kidnapping Assange preceded Pompeo's arrival at Langley, the new director championed the proposals, according to former officials.

…

Some discussions even went beyond kidnapping. U.S. officials had also considered killing Assange, according to three former officials. One of those officials said he was briefed on a spring 2017 meeting in which the president asked whether the CIA could assassinate Assange and provide him "options" for how to do so.

The kidnapping and assassination ideas ultimately went nowhere and there were reportedly  serious concerns about them raised within the CIA. 

Another example reportedly recently, also from Zach Dorfman writing this time for Wired, described the Trump administration's efforts to get the CIA to conduct operations to overthrow Venezuelan president Nicolás Maduro. This resulted in a cyber operation to disrupt the payroll system for Venezuela's military, but Trump administration officials describe the CIA's efforts as half-hearted. 

Other operations floated but not carried out included sabotage operations within Venezuela and remotely disabling oil tankers headed from Venezuela to Cuba.  

At the time Gina Haspel, a career intelligence officer, was CIA director. Per Wired: 

To some Trump-era officials, CIA executives—including CIA director Gina Haspel—were clearly opposed to the administration’s directive. Haspel "never bought into doing anything aggressive in Venezuela because she was still of the mind that we were ugly Americans," says a senior Trump-era official. Haspel declined to comment.

Although it wasn't an IC action, the Trump-ordered assassination of Iranian general Qasem Soleimani by drone strike is consistent with this philosophy—strike at enemies without being paralysed by the possible consequences. 

This inclination to aggressively use covert operations won't disappear in Trump's second term. He actively employs state power, whether it be by sanctions, drone strikes and military force or via covert action. And although the two first-term IC thought experiments we cite — kidnapping or assassinating Assange and toppling Maduro — were at least partly driven by personal animosity (from Pompeo and Trump), there are plenty of people to hate in the world. 

In his first term, based on the public reporting we have available, we'd have to give the IC top marks for behaving responsibly and pushing back on the bonkers ideas that were floated. The big question is whether those checks and balances will continue to hold?

Oh, and we wouldn't rule out creation of a cyber force, either. 

US and UK Back Flawed UN Cybercrime Treaty

A United Nations (UN) draft cybercrime treaty will be voted on in the UN General Assembly next month and while the US and UK governments recognise the treaty is flawed, they have decided to support it nonetheless. 

The UK government said the treaty's "broad scope of international cooperation… and its intrusive procedural powers" could present risks to human rights and also recognised some member states were already trying "to deny or dodge" human rights obligations present in the text. 

A US government statement echoed the UK government's concerns, and both countries committed to demanding accountability. Both said that countries should refuse requests from states that were violating the human rights provisions of the treaty. 

Jonathan Shrier, a US representative to the UN, told reporters part of the reason the US backed the treaty was to have a future role in shaping the way it was implemented. The Record has further coverage. 

Canada's TikTok Expulsion Order is Baffling

Last week the Canadian government ordered TikTok to close its offices in the country but otherwise left the app available for its citizens to use. 

The federal government Innovation Minister, François-Phillipe Champagne, said the decision was based on information from a national security review and advice from Canada's security and intelligence community.  

National security types are concerned about TikTok because of its PRC-based ownership coupled with its ability to collect data from its users, meaning it could be used for influence operations and political manipulation. Just this week, for example, The Information reported the company had modified its moderation policies ahead of the election to appeal to conservatives and the Trump campaign. That's not necessarily manipulation per se, but it does reflect a willingness by TikTok's management to pull levers when it needs to.  

Both data collection and manipulation are possible because people use the TikTok app, not because TikTok happens to have offices and staff in Canada. So we can't see how closing these offices achieves anything. 

Michael Geist, University of Ottawa law professor and Canada Research Chair in internet and e-commerce law, told Canada's CBC that shutting TikTok's offices might actually make it harder to enforce local laws.

"You want to have someone that you can deal with, that you can sometimes serve legal papers to," Geist said. "That's much tougher if the company isn't even operating here."

We are bemused. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Progress on secure-by-design: The Record summarises the progress some major vendors are making towards the Cybersecurity and Infrastructure Security Agency's (CISA) secure-by-design pledge. Here the good news is not so much the progress itself but that CISA plans to some extent to hold the companies accountable. The article itself points out, without any hint of snark, that Fortinet "says it's helping users of its old, end-of-life security products migrate to newer devices that still receive updates". We are more than a bit cynical about security commitments that boil down to 'sell more of our stuff', so hopefully that help includes significant discounts. 
2. 10 years for BEC scammer: A Nigerian national who had been living in the UK has been sentenced to 10 years in US prison for stealing almost USD$20m in BEC scams targeting real estate transactions. Some victims lost all the money they'd saved to buy a home and the victim impact statements are heartbreaking. Unfortunately, two of the scammers' co-defendants are still at large.  
3. Better security in Africa: Microsoft has announced that it is expanding its cyber security service for at-risk, highly-targeted organisations, AccountGuard, to three new markets in Africa: Nigeria, Kenya and South Africa. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with George Glass, Senior Vice-President for Kroll's Cyber Risk business. George covers the company's latest report, a Kimsuky attack on ConnectWise ScreenConnect devices with a new malware strain named ToddlerShark.

Sponsored: Kroll on the DPRK’s foray into enterprise gear - Risky Business

Sponsored: Kroll on the DPRK’s foray into enterprise gear

Risky BusinessPatrick Gray

Shorts

Why Italy Is a Spyware Hub

The Record analyses why Italy is a hub for spyware and is home to six major vendors and one supplier. 

One reason is that Italian companies got involved early with the first company, RCS, entering the industry back in 1992. Italian firms also tend to be much smaller than more infamous enterprises such as NSO Group. And rather than selling expensive, high-end, zero-click capability such as NSO Group's Pegasus, Italian spyware is cheaper, more accessible and more widely used. More Fiat than Ferrari.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how ungoverned spaces on Telegram result in increasingly toxic and antisocial communities.

From Risky Biz News:

Most of 2023's top exploited vulnerabilities were initially zero-days: Ten of the 15 most frequently exploited vulnerabilities last year were initially zero-days, CISA said in a joint report published with cybersecurity agencies from Five Eyes countries on Tuesday.

This includes infamous zero-days, such as the one that forced Barracuda to tell customers to replace all ESG appliances, the zero-day used in the MOVEit hacking spree, and the CitrixBleed vulnerability.

Because zero-days dominated last year's Top 15, 2023 marks the first time CISA's Top Exploited Vulnerabilities list is dominated by new CVEs.

[more on Risky Business News, including further analysis trends]

Chinese hackers target Trump lawyer: The FBI has notified Donald Trump's lead attorney Todd Blanche that his phone was tapped by Chinese hackers. The hackers allegedly obtained voice and text messages, but none were related to President-elect Trump. The hack are the work of Salt Typhoon, a Chinese APT group that breached US telco wiretapping systems earlier this year. The Blanche hack is part of a larger series of hacks that targeted politicians across both US parties. [Additional coverage in ABC News]

Russia blocks Cloudflare ECH connections: Russia's internet watchdog agency, the Roskomnadzor, has blocked traffic to Cloudflare-hosted websites that use the new Encrypted Client Hello (ECH) technology.

Users in Russia and abroad started reporting issues with accessing a large number of websites on Wednesday, November 6.

Roskomnadzor, through its Center for Monitoring and Control of Public Communications Networks department, says it took the decision after Cloudflare enabled ECH by default for customer accounts in October.

The agency said ECH was being used by Russian citizens to bypass its censorship measures and access restricted resources.

[more on Risky Business News, including how ECH prevents censorship of "unwanted" websites.]