The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Cyber pros are fed up with talk about a cyber-Manhattan Project

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! Per today’s newsletter top, here’s a great New York Times deep dive on parts of the Manhattan Project that actually took place in Manhattan. From the article: “‘That’s amazing,’ Alexandra Ghitelman said after learning that the buildings she had just passed on inline skates once held tons of uranium destined for atomic weapons.”

Below: The Conti ransomware gang says it’s shutting down even as it’s still demanding money from the hacked government of Costa Rica, and a Trump cyber official’s suspended security clearance is complicating her run for Congress. 

Protecting online data isn't exactly comparable to creating the first nuclear bomb

Former director of national intelligence John Ratcliffe is the latest in a string of pundits to call for a “cyber Manhattan Project” to surge the nation’s offensive and defensive digital capabilities. 

It’s a tired analogy that was first proffered at least 25 years agoand most people in the trenches of cybersecurity wish it would be retired. 

The complaints: Analogies like “cyber Manhattan Project” and “cyber moonshot” misconstrue the way cybersecurity works, analysts say — portraying it as a project with a dramatic and awe-inspiring goal rather than a never-ending process of slowly ratcheting up defenses and making sure those defenses are in place everywhere they need to be.

Bryson Bort, founder of the cybersecurity company Scythe:

The analogy also misleadingly portrays cyberdefense as something that can be fixed with money and smarts alone — failing to acknowledge that most breaches happen because of human failures, such as companies not installing cybersecurity patches that are readily available. 

The latest instance: Ratcliffe used the analogy in a Newsweek op-ed co-authored with Abraham Wagner who worked on cybersecurity for the Trump-Pence transition team. 

The op-ed calls the current U.S. government cyber posture “inadequate, both in terms of national organization and technical capabilities” and calls for a “‘cyber Manhattan Project’ to make revolutionary leaps ahead in cyberspace, understanding that complete technical overmatch against our adversaries is the surest path to deterring bad actors.”

The authors’ main suggested fixes are integrating the National Security Agency more closely with the Department of Homeland Security’s cyberdefense mission and increasing military spending on offensive cyber capabilities — hardly the equivalent of splitting the atom and definitively ending World War II. 

The analogy is one of several that get the goat of cyber researchers. Others include “cyber Pearl Harbor” and “cyber 9/11,” which researcher say have dramatically misstated the cyberthreat — sparking public fear about a mass casualty-level cyberattack that is extremely unlikely to happen while lowering concern about lower-impact cyberattacks that are causing huge amounts of damage in the aggregate.

Such analogies are a common frustration when discussing cyber dangers

The big problem: Cyber is a comparatively new form of threat that’s not well understood by the public, so analogies could be helpful. But it’s also a peculiar field of conflict where most of the defense is conducted by the private sector and attackers often have a structural advantage — which means most analogies from conventional warfare and geopolitical competition aren’t very well suited. 

Some other critiques of the analogy:

If cyber Manhattan Project essentially means government spending a lot of money to do something big and important, then that’s clearly already happening.

The total cost of the actual Manhattan Project was about $36.5 billion in 2022 dollars, according to an analysis from the Brookings Institution think tank. That’s the equivalent of less than two years of military and civilian government cyber spending at the current rate. 

If you factor in what the private sector spends on cybersecurity, that clearly blows the Manhattan Project out of the water. 

Sean Gallagher, cyberthreat researcher for Sophos Labs:

Cyber moonshot is another common analogy. The Trump administration launched a “cyber moonshot” initiative through an advisory committee in 2017, which produced a compelling report but hasn’t significantly shifted the cyber landscape. 

The Apollo program, which was responsible for six moon landings, cost a lot more than the Manhattan Project — about $168 billion from 1960 to 1973 in 2022 dollars, per the Planetary Society

Total U.S. government cyber spending stretching back to the George W. Bush administration is probably approaching that figure if it’s not there already. That spending has undoubtedly produced huge offensive and defensive advances. But — to take just one measurement — it hasn’t exactly given the United States the same technological edge over Russia that the moon landing did in 1969.

Cyber researcher Matt Tait:

Government spending may also be a poor gauge for the importance of cybersecurity — because so much of it is focused on paying for products that maintain the status quo of security rather than on research and development to improve cybersecurity.

Jayce Nichols, vice president for threat intelligence at Mandiant:

Jason Atwell, cybersecurity strategist at Mandiant:

There’s also a reasonable argument that U.S. intelligence agencies have devoted a Manhattan Project-level effort to offensive cyber tools that the public just doesn’t know about because it’s classified. Journalist Kevin Poulsen made that argument for Wired in 2015 after a previous high-profile call for a cyber Manhattan Project. 

The article came soon after the Russian cyber firm Kaspersky Lab detailed extensive hacking conducted by a group that it dubbed the Equation Group but that was widely understood to be NSA’s offensive hacking division. 

The keys

NSO Group’s confusing corporate structure is frustrating European investigations

The spyware firm’s sprawling list of subsidiaries across different countries is making it difficult for European lawmakers investigating the company to get a clear picture of the company's clients and operations, Politico Europe’s Vincent Manancourt reports. Lawmakers said the complicated structure appeared to be aimed directly at making it hard for people to investigate the company.

“The ownership structure behind NSO seems to have been established with the aim of concealing the factual owners and responsibilities,” Moritz Körner, a German member of the European Parliament, told Politico. “One of the first tasks of the Parliament’s inquiry committee must be to unravel the past and current decision-making processes behind NSO.”

European lawmakers voted in March to set up a “committee of inquiry” to investigate NSO after lawmakers from E.U. members Hungary and Poland said their countries had used the company’s spyware. A month later, Reuters reported that top European officials including European Justice Commissioner Didier Reynders were targeted with Pegasus.

NSO’s corporate structure is “abundantly clear” and legally compliant, an NSO spokesperson told Politico.

A Trump administration cyber official’s suspended security clearance is an issue in her run for Congress

Katie Arrington, who led the Pentagon’s program to boost the cybersecurity of defense contractors during the Trump administration, has been endorsed by former president Donald Trump and is running in the South Carolina Republican primary against Rep. Nancy Mace

Arrington’s security clearance was suspended after the U.S. military accused her of improperly disclosing classified information. The incident happened when an intelligence officer shared the name of a contractor in a top-secret briefing focused on problems with the contractor, Arrington told the AP. Arrington subsequently briefed a supervisor and called the company to offer her assistance, which led to the suspension, she said.

Now, Mace is honing in on the episode ahead of a June 14 primary, the Associated Press’s Meg Kinnard reports:

  • Mace is calling for Arrington to take a lie-detector test about her security clearance loss.
  • A Mace-funded website has sections about Arrington titled “Leaks Classified Information” and “Busted: Loses Her Security Clearance.”

Arrington has fired back by saying she would take a polygraph test if Mace, who supports legalizing cannabis, took a drug test at the same time. (Scientists are skeptical that polygraph tests are effective.)

  • Arrington also gave the AP a sworn affidavit from the intelligence officer who briefed her. The intelligence officer said he never worried about Arrington’s handling of classified information and is “at a complete loss based on my specific knowledge of the matter as to what security infraction was allegedly committed.”
  • The issue will probably come up at a debate between Mace and Arrington this evening, the AP reports.

Arrington resigned from her job at the Pentagon in February, when she announced she was running  for the South Carolina seat.

Arrington was a major cyber player at the Pentagon, including acting as a public critic of Chinese telecommunications giant Huawei, which officials claim is a possible foil for Chinese spying. Arrington dramatically clashed with an executive from the company at a cybersecurity conference.

Conti ransomware gang is apparently shutting down but continues to hold Costa Rican government computers hostage

The notorious ransomware gang took a chunk of its digital infrastructure offline last week and its website is just a shell of what it once was, The Record’s Joe Warminsky reports. The move comes as the group continues to demand that Costa Rica pay a $20 million ransomware demand to unlock computers at critical government agencies. 

Conti has threatened to destroy the “keys” to unlock Costa Rica’s data today if it doesn’t receive the funds.

Costa Rica’s government has refused to pay Conti. President Rodrigo Chaves said the country was at war with the gang and declared a national emergency in the wake of the attack, which hit 27 institutions. On Friday, Costa Rica’s government called the group “cyberterrorists,” EFE reports

Cybersecurity firm AdvIntel’s Yelisey Bogusalvskiy and Vitali Kremez described the targeting of Costa Rica as being motivated more by publicity than money. They declared the group’s “official date of death” as May 19.

Government scan

US agencies announce initiatives to crack down on ransomware (The Record)

Sussmann prosecutors also take aim at Clinton, FBI and the news media (By Devlin Barrett)

FTC warns it will go after ed tech companies misusing children's data (CyberScoop)

Global cyberspace

Biden’s South Korea Visit Aims to Boost Chip Ambitions, Outflank China (Wall Street Journal)

Israeli ministry illegally shared biometric images of millions with unknown agency (Haaretz)

Fears grow after ransomware attack on Costa Rica escalates (TechCrunch)

Securing the ballot

The midterms are here. Critics say Facebook is already behind. (By Naomi Nix)

Cyber insecurity

Breach exposed data of half-million Chicago students, staff (Associated Press)

Trust Stamp, a facial recognition company with a $7.2 million ICE contract, had dozens of peoples' data exposed in breach (Business Insider)

Daybook

  • A House Oversight and Reform Committee panel holds a hearing on the Technology Modernization Fund on Wednesday at 10 a.m.
  • Undersecretary of Commerce for Industry and Security Alan Estevez speaks at an event hosted by the Atlantic Council and Krach Institute for Tech Diplomacy at Purdue on Wednesday at 10 a.m.
  • FBI Director Christopher A. Wray testifies before a Senate Appropriations Committee panel’s hearing on Wednesday at 2 p.m. 
  • Lt. Gen. Michael S. Groen, who leads the Pentagon’s Joint Artificial Intelligence Center, speaks at an Atlantic Council event on Wednesday at 2:30 p.m.

Secure log off

Thanks for reading. See you tomorrow.

Loading...