The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

An 'ingredients list' for software could help prevent the next log4j

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! I give my strongest recommendation to Michelle Zauner's "Crying in H Mart." I listened to it as an audiobook read by the author. 

Below: More Pegasus victims have been identified, and the Justice Department is probing fake election documents sent to the National Archives as former president Donald Trump disputed his 2020 loss. 

CISA is working on an ingredients list for tech systems

Government officials are looking for ways to make future bugs like log4j less threatening, as organizations continue to scramble to protect themselves from the fallout.

One big idea being pushed by government cyber officials is a Software Bill of Materials (SBOM) – an ingredients list for tech systems that organizations can consult when a new bug is discovered to see if they have vulnerable software needing to be patched. 

The concept has been around for a long time. But it’s getting extra juice amid the log4j fallout as government officials and industry executives grapple with the huge number of highly dangerous bugs that may be lurking deep inside software that’s spread throughout the tech ecosystem. 

SBOMs wouldn’t have prevented log4j, but they could have made the cleanup far faster. They’re particularly well-tailored to solve one of the biggest problems log4j highlighted — that some bugs affect pieces of open-source software that are not only incredibly common but also frequently buried so deep in companies’ digital systems that their IT and cyber staff don’t even know they’re there. 

“Log4j helped folks realize if we had SBOMs today, this would be more manageable,” Allan Friedman, a senior adviser to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) who’s working on the effort, told me. “It helped folks understand that this is something that has real, tangible value in terms of dollars and cents.”

The government isn’t designing SBOMs itself, but it’s trying to make it easier for vital industries to use them. 

Heading off attacks

SBOMs are one of four key areas CISA is working on to prevent the next log4j, Eric Goldstein, CISA’s executive assistant director for cybersecurity told reporters this month.

He called SBOMs “invaluable to help an organization ideally automatically understand if they are exposed to a given vulnerability and then quickly pivot to remediation, driving down that time that an adversary has to exploit a vulnerability.”

Other efforts include:

  • Demanding stronger design for software used by the federal government
  • Building automated tools to scan software for bugs
  • Helping tech companies get better at responding when there are bugs in their products

There’s been some movement toward SBOMs in critical industry sectors, but there’s still a long way to go. 

  • A collection of electric utilities is piloting the use of SBOMs in the electric sector.
  • The Food and Drug Administration has also raised the idea of requiring SBOMs from medical technology firms when they seek approval for new devices.
  • But for most industries, the idea is still in its early phases and leaders aren’t sure all the technical heavy lifting will make financial sense.

CISA’s goal is basically to make adopting SBOMs as easy as possible to change industry’s calculus. The agency hosted an event with key industries to hash out some of the big problems in December, which they dubbed an SBOM-A-RAMA.

Big goals include: Developing standard formats so SBOMs look the same within or across industries and tools so software suppliers can automatically share the ingredients lists with their customers. 

“What we’re trying to do is not to say that there is a single way to do it, but to try to minimize the number of degrees of freedom so that implementation has as low a cost as possible,” Friedman told me. 

They’re also trying to overcome some of the big barriers

For example, private tech companies are often hesitant to share the details of all their software publicly so they need a private way to share it with customers. Some smaller tech firms likely won’t devote the resources to using SBOMs unless their customers demand it. 

“When a new vulnerability is discovered, responsible manufacturers have to say, ‘Am I affected?’ ” Friedman said. “And an SBOM can shorten that by many orders of magnitude in terms of hours and cost.”

The keys

Tighter cyber rules for government agencies could come today

The new rules expected from the White House would tighten requirements for federal employees to use extra security measures when logging into devices and networks beyond passwords, CNN’s Sean Lyngaas reports.

They would also implement a system called “zero trust,” which means not automatically trusting users are who they say they are but requiring verification at each step. Agencies would also be required to have a complete inventory of all tech devices running on their networks, Sean reports. 

The new rules were spawned from a cybersecurity executive order President Biden issued in May after the Solar Winds attack compromised large amounts of federal data across numerous agencies. 

Researchers named three new victims targeted with NSO’s Pegasus spyware

Lamah Fakih, Human Rights Watch's crisis and conflict director and the head of its Beirut office, was targeted by Pegasus, according to the group. Fakih, a U.S.-Lebanon dual-citizen, said she doesn’t know why she was targeted or by which of NSO Group’s government clients, but she spent much of last year studying a 2020 explosion in Beirut that killed more than 200 people and caused billions of dollars in damage, Craig Timberg reports

Meanwhile in Poland, researchers identified two new victims of the spyware, the Associated Press’s Vanessa Gera reports:

  • Farmer and agrarian movement leader Michal Kolodziejczak was targeted ahead of elections where support for his movement threatened to cut into backing for Poland’s ruling party
  • Tomasz Szwejgiert, who says he worked with Poland’s secret services and wrote a book about its leader, Mariusz Kaminski, was also targeted

Polish state security spokesman Stanislaw Zaryn told the AP that the country conducts surveillance in limited cases and is bound by Polish law. The leader of Poland’s ruling party has admitted that the country purchased Pegasus, but denied that it was used to target opposition figures in a high-stakes election campaign.

NSO "has been the subject of a growing number of news reports about financial, corporate and legal struggles,” Craig writes. “The departure of the company’s chairman, Asher Levy, became public on Tuesday. A newly appointed chief executive announced his resignation in November after just two weeks on the job.” NSO told news outlets that Levy’s departure had been previously planned, and that reports of financial and other troubles are unfounded.

Federal prosecutors are reviewing fake election documents that said Trump won states he actually lost

Deputy Attorney General Lisa Monaco acknowledged the Justice Department is probing the phony certificates after weeks of requests by lawmakers and state officials for a federal investigation, CNN’s Evan Perez and Tierney Sneed report. The move comes days after my colleagues reported that the effort by Republican electors in Arizona, Georgia, Michigan, Nevada and Wisconsin was assisted by Trump campaign officials and attorney Rudolph W. Giuliani.

“A Justice Department spokesman declined to comment Tuesday on when prosecutors began looking into the matter, whom they were targeting or even if they were conducting a full-fledged investigation, rather than just assessing referrals from state attorneys general,” my colleague Matt Zapotosky writes.

The House committee investigating the Jan. 6 insurrection is also focusing on how the rival slates were put together, people familiar with the panel’s work told my colleagues. 

A Michigan woman found out she won $3 million in the lottery after checking her spam folder

The unusual incident is giving security pros heartburn.

Emails in your spam folder that promise big paydays are almost certain to be hoaxes or con jobs aimed at stealing your information or spreading malware, email security experts say. Laura Spears’s $3 million payday “seems to be a classic example of the exception that proves the rule — in this case, don’t believe emails that sound too good to be true,” Venable managing director Jeremy A. Grant told Annabelle Timsit.

Spam emails about lottery wins are especially prevalent. “Lottery fraud is common in the United States: Of the more than 600,000 complaints of fraud the Federal Trade Commission received in the third quarter of 2021, scams that used prizes, sweepstakes and lotteries as bait were the third most common, generating a total loss of $56.3 million for the consumers who fell for them,” Annabelle writes.

Government scan

Bob Kolasky is leaving CISA

Kolasky, a longtime Department of Homeland Security official, leads CISA’s National Risk Management Center. CISA Director Jen Easterly said in a statement that Kolasky “played an integral role in building the agency and continually advancing our mission.”

Current and former CISA officials were quick to praise Kolasky. 

More from Easterly: 

Matt Masterson, CISA’s top elections official for the 2020 contest:

Former CISA director Chris Krebs:

NIST releases final cybersecurity assessment guidance  (NextGov)

Global cyberspace

N.Korean internet downed by suspected cyber attacks -researchers (Reuters)

U.S. venture capital firm in talks to buy Israel's infamous spyware maker NSO (Haaretz)

The fight ahead in Ukraine: Body bags and cyberwar (David Ignatius)

Olympics inks cloud services deal with Alibaba despite US deeming it potential security threat (Washington Examiner)

Russia steps up propaganda war amid tensions with Ukraine (The New York Times)

Businessman gets 4-yr term for selling N.K.-made software program in S. Korea (Yonhap News Agency)

Doctor-style register planned for UK infosec professionals (The Register)

Industry report

A telecom industry association is launching a new supply chain security standard

The Telecommunications Industry Association’s new standard is designed to verify the security of hardware, services and software across telecommunications network infrastructure. Its release comes as critical industries have been struggling to figure out how to secure supply chains against hacking and questionable software.

Google proposes a new way to track people around the Web. Again. (Gerrit De Vynck)

Apple pays record $100,500 to student who found Mac webcam hack (AppleInsider)

Hill happenings

Bipartisan bill would update federal cybersecurity rules, responsibilities (The Record)

Securing the ballot

State Auditor opens inquiry of Otero County contract to audit 2020 election (Alamogordo Daily News)

Cyber insecurity

Despite decades of hacking attacks, companies leave vast amounts of sensitive data unprotected (ProPublica)

Chat room

What was the first cyberattack? The FBI and Securities and Exchange Commission posted videos this week each claiming a different origin. 

SEC Chairman Gary Gensler pointed to a scheme to get early telegraph information to profit off securities trading in 1834 France. 

Bryan Vorndran, assistant director of the FBI’s cyber division pointed to a computer worm developed at the Massachusetts Institute of technology in 1988. 

Who's right? University of Sydney PhD candidate Ravi Nayyar said it depends:

But a story that begins in Bordeaux sounds more enjoyable to investigate than one that begins in Boston, Recorded Future's Allan Liska notes:


  • FTC Commissioner Noah Phillips discusses data privacy at an event hosted by the National Cybersecurity Alliance and LinkedIn today.
  • The German Marshall Fund hosts an event on cyber and other forms of resilience in Ukraine today at 10 a.m.
  • CISA Executive Assistant Director David Mussington speaks at a Purdue University event today at 4:30 p.m.
  • Sens. Ron Wyden (D-Ore.) and Marsha Blackburn (R-Tenn.) speak at an R Street Institute event about a future federal privacy law on Thursday at 2:30 p.m.
  • CISA senior adviser Kris Rose and other cybersecurity experts speak at Out In Tech's Out in Cybersecurity event on Thursday at 5:30 p.m.
  • FBI Director Christopher A. Wray speaks at the Reagan Library on Monday.
  • The Brookings Institution hosts an event on ethical use of artificial intelligence on Monday at 11 a.m.

Secure log off

Thanks for reading. See you tomorrow.