The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

State Department is offering big rewards for info on hackers, to uncertain ends

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome back to The Cybersecurity 202! We missed you like these celebrities missed on their ceremonial first pitches.

Below: Under pressure, Cloudflare drops Kiwi Farms, and encrypted messaging app Signal has a new president. First:

Behind the curtains of a State Department program offering millions of dollars for tips

In the past two months alone, a State Department program has offered tens of millions of dollars for information on Conti ransomware gang members and alleged Russian election meddlers.

And that State Department “Rewards for Justice” initiative is set to advertise new targets between now and the 2022 midterm elections, officials told me, speaking on the condition of anonymity due to the sensitivity of their work.

Rewards for Justice, which is housed within the Diplomatic Security Service and has for decades focused primarily on countering terrorism, expanded in 2020 to start going after election interference and hacking of U.S. critical infrastructure. 

But Diplomatic Security Service (DSS) officials wouldn’t say whether anyone has cashed in on those post-2020 rewards, citing the need to protect sources. One Capitol Hill aide, speaking on the condition of anonymity because they aren’t authorized to speak publicly, told me that they’re “not aware of any major success stories” related to hacking and election security.

That might just be a matter of lag time. It can take months or even years, DSS officials said, to reap the best tips. And while some doubt the program’s ability to help chase down hackers or election meddlers, many still think Rewards for Justice can help in other ways.

  • “The way to judge it isn't how many people we catch,” James Lewis, a cybersecurity expert at the Center for Security and International Studies who once served at the State Department, told me. “It's how much we get the message out there. … As part of a larger U.S. effort to finally begin to impose consequences, it's a good thing.”
The program

The State Department says that Rewards for Justice has paid out $250 million to more than 125 people since its inception in 1984 and has highlighted a select few success stories on its website. Congress has, in recent years, authorized the program to move into election security and cybersecurity. (It’s not the only program to offer rewards for information about illicit hacking, or even the only program in the State Department to do so.)

But the program hasn’t always proven successful. It had trouble getting tips on al-Qaeda in the early 2000s, as The Post reported in 2008.

Two DSS officials spoke with me about the inner workings of the program. Analysts evaluate tips for useful information, possibly contacting the source for clarification, then pass good tips along to others in U.S. intelligence, security and law enforcement agencies to handle the cases. Approximately 90 percent of the tips are “unusable trash,” and just 2 to 4 percent of what comes in “may be useful,” one official said. It won’t say much about the tipsters otherwise.

“Foreign governments … can be very dangerous to the tipster, so we don't like to talk about what comes in,” the official said.

The evolution

Since 2008, the program has improved its outreach with technology, one of the officials told me. What once was just a 1-800 line, an email address and an online form has expanded to include tip lines on the dark web, Signal, WhatsApp and more. 

“We've seen quite an uptick in the quality of things coming in because we make it easier and more secure,” the official said.

While the officials said there’s been a learning curve about how they market the program to get tips on hackers and election meddlers, they’ve embraced the power and reach of social media.

The August reward offer for Conti was the first time the U.S. government publicized a picture of a suspected Conti hacker, and the Rewards for Justice Twitter account playfully mocked them.

July’s offer focused on Yevgeniy Prigozhin, a Russian oligarch and confidant to Russian President Vladimir Putin who the United States accused of funding a troll farm that tried to interfere in U.S. elections. Prigozhin mocked the reward online, leading to more social media jousting.

Rewards for Justice announced the Conti reward at the Black Hat cybersecurity conference in Las Vegas. They’ve also been offering to pay the rewards with cryptocurrency. So far they’ve also used the program to offer rewards for information on North Korean hackers and the hackers behind last summer’s Colonial Pipeline ransomware attack, among others.

The differences

The Capitol Hill aide who said they weren’t aware of any major success stories added, “That's not disqualifying.”

“By soliciting information, maybe someone provides a tip that isn't itself extraordinary, but that when combined with all the other information that we're receiving and trying to piece together, may be very helpful in that sense,” the aide said.

Still, there are some difficulties with using the program for cyberspace targets.

“You’re tapping into a reservoir of people who may have no special love for the terrorists but also are maybe familiar with who the terrorists are, whereas cybercriminals are, generally speaking, not as notorious,” the aide said. “On top of that, they’re much better able to protect their identities.”

In a world where some hackers are making hundreds of millions of dollars at a time, there’s also the question of who would turn them in at all. That said, it’s not unheard of for hackers to turn on each other, Andrew Lohn, a senior fellow at Georgetown’s Center for Security and Emerging Technology, told me.

Said one of the DSS officials: “Maybe the key leaders within that group earn hundreds of millions of dollars, but there could be friends and associates around them who aren't earning that money or are jealous of the people earning the big dollars, and $10 million might be a good incentive for them.”

Correction: This morning's newsletter incorrectly stated that State announced the Conti reward at the Def Con conference in Las Vegas rather than the Black Hat conference.

The keys

Security firm Cloudflare drops Kiwi Farms website

Cloudflare’s move marks a reversal of course for the company, which had previously justified its protection of Kiwi Farms, Joseph Menn and Taylor Lorenz report. Kiwi Farms is best known for being used by stalkers to organize real-world harassment, as well as online hacks and abuse.

“As Kiwi Farms has felt more threatened, they have reacted by being more threatening,” Cloudflare chief executive Matthew Prince told The Post. “We think there is an imminent danger, and the pace at which law enforcement is able to respond to those threats we don’t think is fast enough to keep up.” Contributors to the forum have posted home addresses of perceived enemies and called for them to be shot, Prince said.

Last week, Cloudflare faced pressure to drop Kiwi Farms. Organizations and influencers joined Clara Sorrenti, a trans Canadian Twitch streamer known online as Keffals, in calling for the removal of Kiwi Farms from Cloudflare's services. Sorrenti launched the #DropKiwiFarms campaign after being targeted by users of the forum for months. Forum users doxed Sorrenti and her family, and they also called the police to come to her home in “swatting” attacks.

Cloudflare isn’t the only firm to cut off Kiwi Farms. DDoS-Guard, a Russian service that protects websites from cyberattacks involving overwhelming amounts of traffic, had picked up Kiwi Farms after Cloudflare cut it off. But that didn't last long. On Monday, the firm said it was terminating its services to Kiwi Farms after receiving reports that the forum violated its policies. “Having analyzed the content of the site, we decided on the termination of DDoS protection services for kiwifarms.ru. To all those who brought this incident to our attention, we thank you,” the firm said. 

Twitter has lacked resources for combatting disinformation

Twitter’s former head of security, Peiter “Mudge” Zatko, commissioned an external audit of the firm’s ability to counter misinformation, and the review depicted a company facing sophisticated disinformation campaigns while short on resources, Elizabeth Dwoskin, Joseph Menn and Cat Zakrzewski report. The audit was included in an explosive whistleblower complaint by Zatko, a famed hacker.

“While Zatko’s allegations of Twitter’s security failures, first reported last month by The Post and CNN, have received widespread attention, the audit on misinformation has gone largely unreported,” my colleagues write. “Yet it underscores a fundamental conundrum for the 16-year-old social media service: despite its role hosting the opinions of some the world’s most important political leaders, business executives and journalists, Twitter has been unable to build safeguards commensurate with the platform’s outsize societal influence. It has never generated the level of profit needed to do so, and its leadership never demonstrated the will.”

Twitter disputes much of the report, which said the company was too understaffed, siloed and reactive to threats. Alethea Group, the firm behind the report, declined to comment.

Signal hires Big Tech critic who aims to focus on sustaining the app through donations

Meredith Whittaker, a former Google manager, will be the first president of the encrypted messaging app, Nitasha Tiku reports. Whittaker, who has been outspoken about the harms of Big Tech, will help guide strategy, communications and policy in the role.

Whittaker aims to focus on sustaining the app, which hopes to support itself through millions of users’ small donations. 

“It costs tens of millions of dollars per year to develop and maintain an app like Signal,” Whittaker said, arguing that the only way for people to escape technology profiting off user data is to pay for products that don’t.

Signal, which was released in 2014, offers the ability for people to send messages, voice calls and video calls that are encrypted so only the sender and recipient can see them. Signal creator Moxie Marlinspike stepped down as its chief executive in January, and WhatsApp co-founder Brian Acton, who sits on its board alongside Whittaker and Marlinspike, is leading the company in an interim capacity. It’s still looking for a new chief executive. “It’s got to be the right person,” Whittaker said. “We have the luxury to take our time.”

Global cyberspace

China says U.S. hacked aeronautics, space research university (Bloomberg)

Biden will crack down on Chinese tech with a new executive order (Semafor)

The chips are down: Putin scrambles for high-tech parts as his arsenal goes up in smoke (Politico)

Cyber insecurity

TikTok denies reports that it’s been hacked (The Verge)

On the move

National Cyber Director’s office elevates key personnel (FCW)

Daybook

  • CIA chief technology officer Nand Mulchandani and retired lieutenant general Jack Shanahan discuss software-defined warfare at a Center for Strategic and International Studies event on Wednesday at 2 p.m.
  • CSIS hosts an event on stopping misinformation and disinformation on Wednesday at 3 p.m.
  • Top officials from across the federal government speak at the Billington CyberSecurity Summit from Wednesday through Friday.
  • NSA research director Gil Herrera speaks at an event hosted by the Intelligence and National Security Alliance on Thursday at 9 a.m.

Secure log off

Thanks for reading. See you tomorrow.

Loading...