The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

A Red Cross hack is victimizing the most vulnerable

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! This weekend I made the Genurken-flürken cake from Rose Nylund (Betty White), as developed by the Forum of Fargo-Moorhead. I highly recommend it. 

Below: The Biden administration is mulling serious tech export restrictions if Russia invades Ukraine, and Wisconsin's partisan election investigation is running into legal problems. 

Hackers stole information on families separated by war

A massive cyberattack targeting the International Committee for the Red Cross is showing how hacking can even threaten vital humanitarian work. 

The breach compromised the personal information of more than 500,000 recipients of Red Cross assistance, including victims of war and violence, the Red Cross said. The breached servers belong to the organization’s Restoring Family Links service, which focuses on reconnecting loved ones separated by war and other causes. 

That raises the specter of those people being victimized again by hackers either stealing their online identities or sharing their information with groups that may wish them harm. 

“We are appealing to whomever is responsible: The real people, the real families behind the information you now have are among the world’s least powerful,” Director General of the International Committee of the Red Cross Robert Mardini said in a rare public appeal to the hackers to not do anything with their bounty. 

Mardini's comments:

The damage

The hack forced the Red Cross to halt much of its work on behalf of separated families while the system that holds their data is offline. That’s preventing the reunification of about a dozen people with their families per day, the organization said. 

It’s raising concerns that people in need of assistance may become more fearful of sharing their information with organizations designed to help them. 

The hack has caused “immeasurable damage" to the notion any program can safely manage the personal information of so many victims of war and violence, Lukasz Olejnik, an independent cybersecurity researcher and former cyberwarfare adviser at the International Committee of the Red Cross in Geneva, told me. 

“This contributes to the debate and the big questions of whether some kind of data should really be run via open-access digital systems,” he said. 

It’s also underscoring the damage hackers could cause by targeting humanitarian agencies more broadly — most of which have far fewer technical resources than the Red Cross. 

“We talk a lot about the monetary damage of cyberattacks, but this really brings home that there is a tangible human toll to cyberattacks and intrusions that impact very vulnerable populations,” Chris Painter, former top cyber diplomat during the Obama administration, told me. 


The breach itself is a bit of a mystery. Here’s what we know so far, mostly from a lengthy Red Cross statement:

  • The Red Cross doesn’t know who conducted the attack or whether it was a criminal group or nation state.
  • The Red Cross described the attack as highly targeted and aimed at Red Cross servers rather than at the third-party company that was hosting those servers.
  • The hackers haven’t reached out to demand a ransom payment or for other reasons.
  • In addition to data from separated people, the breach compromised login information for about 2,000 staff and volunteers.

The facts the attack was targeted and there has been no ransom demand suggests it may have come from a nation state or other group with political motives rather than criminal hackers just looking for a payoff.

Yet the database is mostly focused on people fleeing areas torn by war and violence rather than the sort of high-value political targets that would be most valued by hackers tied to national intelligence services. 

“The potential value to a nation state is very unclear,” Painter told me. 

Humanitarian appeal

The Red Cross’s plea to the hackers not to use the data is also novel. The Red Cross said in its statement that officials are “willing to communicate directly and confidentially with whoever may be responsible … to impress upon them the need to respect our humanitarian action.”

That plea could have some impact if the perpetrators are criminals. They may be eager to avoid the sort of negative publicly that could bring added attention from international law enforcement. 

It’s unlikely to do much good, however, if government hackers are responsible. 

“If you’re a nation state doing targeted operations to get information, you’re going to use it,” Painter told me. “That’s why they do this.”

The keys

Wikileaks founder Julian Assange has another chance to appeal extradition to the United States

The United Kingdom’s top court granted Assange permission to appeal his extradition to the United States Supreme Court, William Booth reports. He faces U.S. charges of violating the Espionage Act and other crimes including breaking U.S. hacking laws. 

The effort to extradite Assange has been going on in earnest since 2019 when he was expelled from Ecuador’s UK Embassy and taken into British custody. 

Assange’s supporters say he was acting as an investigative journalist when he published troves of classified government information.

The Biden administration is mulling sanctions aimed at crippling Russia’s tech sector

The goal would be to cut off the flow of semiconductors and other critical components to high-tech industries like artificial intelligence and quantum computing in the event that Russia invades Ukraine, Ellen Nakashima and Jeanne Whalen report

The U.S. government has deployed such a wide-ranging export control only once before, when it targeted Chinese tech giant Huawei, which officials accused of aiding Chinese spying. It contributed to the company’s first revenue drop — of 30 percent — last year, analysts said.

The sanctions would seek to bar foreign companies from exporting tech to Russia if they rely on U.S. components. It’s a particularly powerful move because “there is hardly a semiconductor on the planet that is not made with U.S. tools or designed with U.S. software,” Ellen and Jeanne write.

But problems could lie ahead. “The effort could face head winds from American and European business interests that fear using export controls could lead to Russian retaliation in other spheres — and eventually cause foreign companies to seek to design U.S. technology out of their products,” Ellen and Jeanne write. 

Targeted use of the export controls could hit Russia’s military, which uses a Russia-designed chip called Elbrus that is manufactured by TSMC in Taiwan. If the U.S. government were to forbid TSMC from supplying those chips to Russia as it successfully restricted TSMC from supplying Huawei, it would have a “devastating effect,” said Kostas Tigkos, an electronics expert at defense intelligence provider Janes Group.

The former judge running Wisconsin’s GOP must turn over records from his investigation

Former state Supreme Court Justice Michael Gableman has long resisted sharing such records, claiming his investigation is not governed by state open records laws and that sharing them would compromise the efforts, Wisconsin Public Radio’s Shawn Johnson writes.

Wisconsin House Speaker Robin Vos (R) appointed Gableman under pressure from former President Donald Trump and fellow Republicans who claimed without evidence that Biden’s 2020 victory in the state was illegitimate. The review was originally set to conclude last year, but has dragged on and will likely last months longer. Vos has said he wants a report from Gableman by the end of February so he can use it to craft election legislation before the end of March.

In a separate lawsuit Gableman backed off of threats to jail several Democratic mayors in the state who have refused to comply with his subpoenas, Johnson reports. 

Meanwhile, an Arizona appeals court dealt the state’s partisan election review a blow, the Associated Press reports.

The court rejected the state senate’s arguments that emails about the review are exempt from disclosure under open records laws. The court found that an exemption for the state’s legislative branch can only be used for records narrowly focused on legislation. The case could be appealed to the state’s top court. Leaders of the state senate are still considering how they should proceed, senate attorney Kory Langhofer said.

The Arizona review, which was beset by blunders, did not find any evidence Biden's victory was illegitimate but state lawmakers have nevertheless proposed new voting laws in its wake. 

The House Jan. 6 committee is looking into a draft executive order that called on the U.S. military to seize voting machines

It’s not clear who wrote the draft order, which was dated Dec. 16, 2020, and would have given President Donald Trump’s secretary of defense the authority to seize election machines and data. It also would have appointed a special counsel to investigate the 2020 election. It was among the records that Trump’s lawyers tried to block the Jan. 6 committee from receiving, Politico's David Cohen reports

The committee has spoken with former attorney general William P. Barr and Pentagon officials as it investigates the draft, Bloomberg’s Ian Fisher reports

“We are concerned that our military was part of this big lie on promoting that the election was false,” Committee Chairman Bennie G. Thompson (D-Miss.) said. The Defense Department declined to comment to Bloomberg News.

Industry report

Twitter is shaking up its security team

Security head Peiter “Mudge” Zatko is no longer at the company, and Chief Information Security Officer Rinki Sethi will be leaving in the coming weeks, the New York Times’s Mike Isaac and Kate Conger report. The changes came after “an assessment of how the organization was being led and the impact on top priority work,” Twitter chief executive Parag Agrawal said in an internal memo. 

Agrawal took the reins of Twitter in late November, when co-founder Jack Dorsey stepped down. In the months since, he has reorganized the company and other top executives have left.

Zatko, who previously worked at Stripe, Google and the Defense Advanced Research Projects Agency, is a well-known hacker who famously warned the Senate in 1998 that he and his fellow hackers could take down the Internet in 30 minutes. Sethi previously worked at firms including Rubrik and IBM.

Global cyberspace

Researchers find similarities between NotPetya, attacks on Ukrainian government systems (CyberScoop)

Israeli police used NSO’s Pegasus to spy on local mayors, their relatives (Calcalist)

Russia detains four Infraud cybercrime members, Tass reports (Bloomberg)

Greek Parliament: Authorities probe hacking of 60 email accounts (To Vima)

China’s SenseTime ponders future after US blacklisting (Financial Times)

Cyber insecurity

Leaked chats reveal evidence of hate crimes by U.S. fascists (Gizmodo)


  • The Cyber Threat Alliance hosts a webinar for its fifth anniversary today at 10 a.m.
  • NATO Deputy Secretary General Mircea Geoana, European Commission Vice President Margaritis Schinas, German Cyber Ambassador Regine Grienberger and other top cybersecurity officials including CISA Executive Assistant Director Eric Goldstein speak at the CyberSec Global event on Tuesday.
  • FTC Commissioner Noah Phillips discusses data privacy at an event hosted by the National Cybersecurity Alliance and LinkedIn on Wednesday.
  • CISA Executive Assistant Director David Mussington speaks at a Purdue University event on Wednesday at 4:30 p.m.
  • Sens. Ron Wyden (D-Ore.) and Marsha Blackburn (R-Tenn.) speak at an R Street Institute event about a future federal privacy law on Thursday at 2:30 p.m.
  • CISA senior adviser Kris Rose and other cybersecurity experts speak at Out In Tech's Out in Cybersecurity event on Thursday at 5:30 p.m.

Secure log off

Thanks for reading. See you tomorrow.