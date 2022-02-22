Below: Israeli officials found no evidence police misused Pegasus spyware, and cyber experts blast a D.C. mobile voting bill.

Chris Inglis wants a new “social contract” on cybersecurity

The Biden administration’s cyber czar is pushing a swing-for-the-fences effort to transform the Internet from an unruly Wild West to a peaceful land of law and order.

The plan, dubbed “a new social contract” for cybersecurity is laid out in a Foreign Affairs article by Chris Inglis, the nation’s first-ever national cyber director, and Harry Krejsa, a senior adviser in Inglis’s office. It's the most expansive argument yet from the administration for why the nation must completely revamp how it manages cybersecurity.

Wild West

The article paints a bleak picture of the modern Internet — one in which cyber protections are hit or miss, citizens’ personal information is easy to steal, and major technological advances — such as widespread autonomous vehicles — are essentially impossible because they can’t be secured against hacking.

“Contemporary cyberthreats represent a tragic betrayal of what leading technology advocates promised at the dawn of the digital revolution,” they write.

The fundamental insecurity of the Internet has also fractured national security, Inglis and Krejsa write — making it easier for China to steal its way to dominance in key industries and for Russia to threaten economy-rattling cyberattacks.

Those concerns have jumped into hyperdrive recently amid fears of Russian cyberattacks hitting U.S. targets as part of the fallout from an invasion of Ukraine that officials have said appears imminent.

What to do?

The article is short on specifics, but the general idea is a “new social contract” in which government and companies both take on “a new set of obligations” to make computer systems secure against hacking from the beginning rather than scurrying after they’re compromised.

Inglis and Krejsa also urges shifting more responsibility for cybersecurity away from the most common hacking victims — small and medium-sized companies, schools and local governments — and onto government and the largest technology firms whose products are being compromised by hackers.

“Collective, collaborative defense needs to replace atomized and divided efforts,” they write.

For Big Tech companies, that could mean privileging security over other priorities such as making products faster and more user friendly.

On the government side, that could mean more spending on research and development and more upfront work helping companies secure themselves against hacking.

The article avoids the word “regulation,” but Inglis has said several times that increased cyber regulation will be necessary to secure some of the most vital industries. He’s also advocated for requiring critical infrastructure firms to alert the government when they’re hacked.

What’s next?

An official from Inglis’s office described the article's goal to me this way: it outlines a desired end state for U.S. cybersecurity rather than focusing on specific problems. The official declined to say if specific policy proposals are in the works, but said the article will be a good guide for the sorts of policies the office will pursue.

“Cybersecurity is a very reactive business and that’s sometimes infected the way we strategize,” said the official who spoke on the condition of anonymity because he wasn’t authorized to speak on the record. “We say ‘enemies are at the gates, so how are we building this wall to keep them out? We want to say, ‘This is the world we want to live in, and let’s build it in a way that security is fundamental.’”

A new office: The article does double duty as a mission statement for the national cyber director’s office, which was created by Congress last year and is still in the process of hiring staff.

The office’s creation followed years of complaints that cyber responsibilities were split up piecemeal throughout government, and no one was truly in charge.

Inglis has rejected the idea that his office should be fully in charge of cybersecurity — a responsibility that’s mostly split among his office, U.S. Cyber Command, the FBI and the Cybersecurity and Infrastructure Security Agency. But he’s described his job as equivalent to a football coach — making big picture decisions about what the team should be prioritizing.

The keys

Israeli investigators found ‘no indication’ that police illegally used Pegasus spyware

The results of the investigation contradict reporting by Israeli business newspaper Calcalist that Israeli police used NSO Group spyware to target high-profile Israelis like former president Benjamin Netanyahu’s son, business executives and activists without search warrants.

Amit Marari ’s investigation “did not uncover any unsuccessful attempts by the police to use Pegasus without judicial oversight, and … it also did not discover any police usage of other similar spyware against the individuals named,” the Times of Israel ’s Amy Spiro Deputy Attorney General’s investigation “did not uncover any unsuccessful attempts by the police to use Pegasus without judicial oversight, and … it also did not discover any police usage of other similar spyware against the individuals named,”’s Amy Spiro writes

“Marari noted that police informed the Justice Ministry that three individuals were subject to a court order allowing such phone hacking, but only two of them had been targeted by the spyware and only one of them was successfully hacked.”

Calcalist is looking at its past reporting and “will not hesitate to correct as much as necessary” in the wake of the investigation, the outlet said.

Olympics cyber concerns shift to malware athletes may bring home

It’s too early to tell whether any hacking or cybersurveillance operations occurred while more than 16,000 athletes, journalists and other visitors were gathered at the Olympics in Beijing, the Associated Press’s Kelvin Chan reports. Cybersecurity firm Mandiant said it had seen no sign of “intrusion activity” connected to the Olympics — but such signs often don’t pop up until weeks or months later.

Cyber pros are urging athletes and others returning from the Olympics to take precautions to rid their devices of malicious software. They should change their passwords and double-check that suspicious devices or services don’t have access to their accounts, Mandiant director of cyber espionage analysis Benjamin Read told Chan.

Cybersecurity concerns were especially high at this year’s Olympics because of China’s history of digital surveillance.

The FBI and some national Olympic committees had urged athletes to bring “burner” phones with them to the Games amid fears that China’s government could spy on them.

Paul Farhi reported. Some journalists also said they would bring new devices with them, our colleague

It appears that some athletes didn’t heed that advice. Canadian snowboarder Laurie Blouin told Chan she was “on my phone for sure” and was busy “feeding the ’Grams.” Some U.S. athletes said they used virtual private networks, a method of evading digital surveillance that also allows access to some Western social media sites that are blocked by the Chinese government.

Cybersecurity experts blast D.C. mobile voting bill

The legislation introduced Friday would let D.C. residents cast votes on smartphones, laptops and tablets, Lauren Lumpkin reports. D.C. Council member Brooke Pinto (D-Ward 2), who introduced the bill, says it’s aimed at boosting turnout and making it easier for eligible voters to cast ballots. She expressed confidence the system could be run safely despite widespread concern by cybersecurity and election security advocates.

“The legislation would establish an auditing system to report security threats and require the District’s Board of Elections to establish a secure system that protects voter data,” Lauren writes. “It would also require personally identifiable information to be kept confidential and destroyed after a ballot is cast.”

Cybersecurity experts warn that mobile voting technology could raise hacking threats. Most experts say it’s impossible to verify mobile votes weren’t altered by hackers because there’s no paper record that a voter can look to ensure his or her vote was recorded accurately.

“Frankly, it’s phenomenally retrograde to consider Internet voting in the present moment because we know sophisticated attackers have our election systems in their sights,” said J. Alex Halderman, a University of Michigan professor who has focused on voting technology. In 2010, it took Halderman and his students just 48 hours to hack an Internet-based voting system the District introduced to allow overseas voters to cast ballots.

Chat room

Here's more from cybersecurity experts, D.C. residents and others on DC legislation to introduce mobile voting. CISA’s Allan Friedman:

Jesus. Rookie pol who barely squeaked by in an overcrowded field bc of one endorsement appears to not understand election tech. Sigh. — Allan Friedman (@allanfriedman) February 18, 2022

Full Stack Economics’s Timothy B. Lee:

Just say no to this. Computer security experts overwhelmingly think it’s a bad idea to hold elections online. https://t.co/yct3VjfOB6 — Timothy B. Lee (@binarybits) February 20, 2022

Advisory Neighborhood Commissioner Zach Israel:

So this is a bad idea and I’m kinda shocked to see 8 CMs sign onto this bill. The number of security vulnerabilities involved with this are high. Real glad to see that @charlesallen is not a cosponsor, since it’d need to pass through his committee first. https://t.co/JtDskYH5Ka — Zach Israel (@ZachBIsrael) February 18, 2022

LinkedIn’s Scott Rising:

This is a great way to ensure we get president Camilla Cabello https://t.co/UcDiQA9VzK — scott rising (@rising) February 20, 2022

Cyber insecurity

Missouri government software vulnerability existed for a decade before a journalist discovered it, police say

The software flaw, which exposed 576,000 teachers’ Social Security numbers, had gone unfixed since 2011, the report from the Missouri Highway Patrol said, per the St. Louis Post-Dispatch. Missouri Gov. Mike Parson (R) accused Post-Dispatch journalist Josh Renaud of being a “hacker” after he alerted officials about the vulnerability, but Cole County prosecutor Locke Thompson (R) declined to press charges last week.

Missouri Department of Elementary and Secondary Education spokeswoman Mallory McGowin told the Missouri Highway Patrol that Renaud didn’t access “anything that was not publicly available, nor was he in a place he should not have been,” according to a copy of the patrol’s investigation obtained by the Post-Dispatch.

Global cyberspace

National security watch

Securing the ballot

Government scan

Daybook

Philip Lockwood NATO deputy head of innovation discusses NATO’s technological innovations at an event hosted by the German Marshall Fund of the United States on Feb. 23 at 9 a.m.

Jen Easterly and others CISA Directorand others discuss the film “WarGames” at an event hosted by Columbia University's Hacked Film Festival, DEFRAG, on Thursday at 7:30 p.m.

