Below: Lawmakers are again trying to pass cyber incident reporting mandates, and North Korea stole more than $400 million in cryptocurrency.
Call an exterminator: open-source bugs are everywhere
The Biden administration is adding another big cyber challenge to a plate that’s already chock-full of them.
The White House hosted industry leaders from Google, Microsoft and a slew of other companies and tech foundations yesterday to discuss the mammoth task of rooting out computer bugs littered throughout open-source software that powers much of the Internet.
That problem was largely ignored until recent years — even as open-source software, which is mostly built and maintained by volunteers, becomes an increasingly vital component of computer systems in government and vital industry sectors. The meeting was essentially a first step in getting a handle on how to approach the challenge, participants said.
“This was very much a working session. It was the start of a conversation that’s going to continue,” Mike Hanley, chief security officer at the open-source code repository GitHub, who was at the meeting, told me.
Invitations for the meeting went out in December, when the government and industry were scrambling to deal with serious vulnerabilities discovered in the log4j system — one of the most ubiquitous pieces of open-source software, which officials feared could have resulted in damaging hacks across a broad range of industries.
As the dust settles on the immediate response to log4j, government and industry leaders are increasingly grappling with the fact that there could be many equally serious bugs out there in open source software, ready to wreak havoc on the economy and threaten national security.
“Log4j was really a wake-up call,” Boaz Gelbord, chief security office at the tech firm Akamai, who participated in the White House meeting, told me. “Here’s something that’s all over the place in a wide range of systems. It has really critical impact on people’s lives. And something like this, with such significant issues, slipped through the cracks.”
One big priority at the summit: Participants talked about building a government-industry partnership to create a catalogue of the most important pieces of open-source software that could spark log4j-level concerns if they were vulnerable and must be checked and rechecked for hackable bugs.
The project, which Google officials outlined in a statement after the meeting, would resemble an effort the Cybersecurity and Infrastructure Security Agency is undertaking to create a broader list of the most “strategically important critical infrastructure,” which must be protected against hacking.
According to meeting attendees, other priorities included:
- Ramping up cybersecurity training for open-source software developers
- Building closer connections between private sector efforts to shore up open-source software and government efforts outlined in a May executive order from President Biden
- Surging funding and resources to existing projects to reduce the prevalence of hackable bugs in open-source software, including several run by the Open Source Security Foundation, which attended the meeting
“The tone was that we’re all building on the work that we’ve started in the last year or so. We’re further committing to what we were already driving at,” Phil Venables, chief information security officer of Google Cloud, told me.
There was no formal White House statement after the meeting, and attendees described it as mostly focused on strategizing and agreeing on priorities rather than prepping big announcements.
National security adviser Jake Sullivan described the meeting during a White House press briefing as “an incredibly constructive discussion about ways that the public sector and the private sector can work effectively together to ensure that public sector systems are more robust and resilient, and private sector systems are more robust and resilient.”
The event was hosted by deputy national security adviser Anne Neuberger. Other participants included: Amazon, the Apache Software Foundation, Apple, Cloudflare, Facebook parent Meta, IBM, Linux, Oracle, RedHat and VMware. (Amazon founder Jeff Bezos owns The Washington Post).
Hackers took down several Ukrainian government websites
It’s not clear if the attack came from Russia. But it comes as Russian troops are massed along its neighbor’s borders and amid a tense international effort to forestall an invasion. The Kremlin has conducted some of its most devastating cyberattacks in Ukraine, including a 2015 hack that temporarily brought down parts of the nation’s power grid.
“It’s too early to draw conclusions as the investigation is ongoing, but there is a long record of Russian cyber assaults against Ukraine in the past,” Ukrainian Foreign Ministry spokesman Oleg Nikolenko told the Associated Press.
The attack hit the websites of Ukraine’s Cabinet and seven ministries. Websites for the nation’s Treasury, National Emergency Service and the state services website, were unavailable Friday. The state services website stores Ukrainians’ electronic passports and vaccination certificates.
Lawmakers are bullish on passing cyber incident reporting mandates this year
Rep. John Katko (R-N.Y.) and Rep. Yvette D. Clarke (D-N.Y.) expressed confidence that the legislation, which would require critical companies to report hacks to the Cybersecurity and Infrastructure Security Agency (CISA), could pass this year, the Record’s Martin Matishak reports. The measure was nearly included in a defense authorization bill that President Biden signed in December, but it was scrapped at the last minute amid Senate bickering.
Katko, the top Republican on the House Homeland Security Committee, and Clarke, who chairs the committee’s cybersecurity panel, were speaking at a Silverado Policy Accelerator event.
But the FBI still has some problems with the bill. The FBI wants the legislation to “say that that information would be shared by CISA simultaneously and unfiltered with the FBI,” Deputy Assistant Director Tonya Ugoretz told our colleague Ellen Naskahima during a Washington Post Live event. FBI leaders tried but failed to get that language into the bill last year. Some supporters of the measure fear companies will oppose the bill if they believe their hacks will be automatically shared with law enforcement.
North Korea stole more than $400 million in cryptocurrency in 2021
Hackers backed by the hermit nation breached at least seven cryptocurrency exchanges and laundered the proceeds, NBC News’s Kevin Collier reports. The country relies on cryptocurrency theft because its main exports are under United Nations and U.S. sanctions.
But North Korea doesn’t immediately rush to launder the cryptocurrencies it’s stolen. The country has retained about $170 million that it stole from old attacks, cryptocurrency research firm Chainalysis said.
“According to research from the cybersecurity company Kaspersky, also published Thursday, North Korea has a dedicated hacking team that has been steadily attacking small- and medium-sized companies that deal with cryptocurrency and related projects,” Collier writes. “Such companies are frequent targets for hackers, who stole a record $14 billion in cryptocurrency last year.”
NSO Group is poised to ask the U.S. Supreme Court to scrap a case over its hacking tools
The controversial spyware company plans to ask the high court to overturn an appeals court ruling that allowed a 2019 lawsuit brought by Meta-owned WhatsApp, which accuses NSO Group of hacking its customers, Bloomberg Law’s Andrea Vittorio reports. NSO argued it was immune from the lawsuit because it provides its technology to foreign governments that have sovereign immunity. If the case proceeds, NSO may be forced to hand over sensitive documents about its internal operations.
The case comes as NSO is facing a slew of allegations about the use of its technology. Researchers say Pegasus was used to target journalists in El Salvador, while researchers found traces of the powerful spyware on devices belonging to Polish opposition figures. The Biden administration barred NSO from receiving U.S. technology after an investigation by The Washington Post and 16 media partners into Pegasus.
NSO is also battling a lawsuit from Apple, which sued the firm in November. The tech giant argued in that suit that NSO abused “Apple services and servers to perpetrate attacks on Apple’s users and data stored on users’ devices.”
Six federal agencies didn’t collect enough data to know extent of SolarWinds breaches
The agencies “stated that they were unable to generate and maintain enough telemetry information to effectively determine what actions had occurred on their networks,” the Government Accountability Office, a nonpartisan government auditor, said in a report.
There were also gaps in agencies’ data. One official told the auditor that “log retention was a particular challenge for investigators responding to the SolarWinds incident as the threat actor was in agencies’ networks months before it was detected and evidence may not have existed at all agencies based on an agency’s log preservation activities,” the GAO said.
Congress is watching: House Oversight Committee Chairwoman Carolyn B. Maloney (D-N.Y.) said the report made “clear that there are still significant gaps in the federal government’s ability to respond to advanced cyberattacks” and called it “troubling that the federal government was still working to remove cyberattackers from agencies’ networks six months after the attack was discovered.”
She used the report to push a bill that would revamp how the government manages cybersecurity protections.
Ukrainian authorities targeted a ransomware gang
Authorities arrested five people who were allegedly members of a group that targeted dozens of companies in North America and Europe, the Record’s Catalin Cimpanu reports. The arrested gang members were the group’s leader, his wife and three acquaintances.
Officials said the group targeted government and private networks to steal data, install ransomware and carry out attacks to overwhelm computer networks. The group may have earned more than $1 million from the hacks, Ukrainian police said.
Securing the ballot
- Australian Ambassador for Cyber Affairs and Critical Technology Tobias Feakin and former Estonian Ambassador-at-large for Cyber Diplomacy Heli Tiirmaa-Klaar discuss accountability in cyber norms at a Center for Strategic and International Studies event on Thursday at 9 a.m.
- The House Oversight and Reform Committee holds a hearing on the federal government’s IT purchasing law on Thursday at 10 a.m.
Secure log off
Thanks for reading. Have a great holiday weekend. See you Tuesday.