Welcome to The Cybersecurity 202! Below: Authorities investigate a suspected ransomware attack on Bosnia's parliament, and Uber releases details on last week's hack. First:

The Network weighs whether U.S. entities should reveal U.S. government disinformation, hacking operations

U.S.-based organizations and companies should publicly reveal hacking and disinformation campaigns when they find them, regardless of whether they believe they are potentially the work of the U.S. government, according to 73 percent of surveyed cybersecurity experts.

That result — drawn from The Network, our panel of more than 100 cyber experts who are invited to participate in our polls — follows revelations last month about Facebook and Twitter removing fake, pro-U.S. accounts. Stanford University’s Internet Observatory and New York-headquartered social media analysis firm Graphika described the campaign in a joint report.

On Monday, my colleague Ellen Nakashima plumbed further into that campaign to find explicit connections with the U.S. government. The Network survey began and concluded before Ellen’s story was published.

In favor of disclosure

For some respondents who favored disclosure of suspected U.S. operations, it was about overall security.

“The internet is too critical for society for vulnerabilities to persist, even if they are being exploited by the ‘good guys,’” answered Bruce Schneier, a lecturer and fellow at Harvard University and chief of security architecture at Inrupt. “Reporting hacking of any type, by anyone, makes us all safer. Apologies to those on our side; defense has to take precedence.”

Hiding the campaigns once they’re discovered could also prove problematic for U.S. aims, said Betsy Cooper, a policy director at the Aspen Institute and a senior adviser at Albright Stonebridge Group.

“If companies decide to hold back disclosure anytime the U.S. government is the source, then malicious actors will have even more incentive to undertake false flag operations and blame the U.S. for all their trouble,” she said.

Cooper is skeptical that most companies could accurately attribute the source of a campaign anyway. Attribution, some maintained, wasn’t a necessary part of the discussion.

“Discovering an operation doesn’t mean you have a responsibility to accurately attribute it,” said Jeff Moss, president of DEF CON Communications. “Exposing what you have found helps shed light on the size of the problem and inform better policy outcomes.”

Despite the “yes or no” format of the survey question, many respondents offered caveats.

Organizations should call out U.S. government-led disinformation efforts but not hacking campaigns, said Jay Kaplan, CEO of cybersecurity company Synack, who answered “yes” to the overall question.

“Companies and the government need to work together to avoid derailing vital national security missions” on the hacking front, Kaplan said. “Disinformation campaigns are a different story. By definition, they play out publicly. And any government or group trying to sway public opinion by deliberately sharing false information shouldn’t be surprised if their efforts are exposed.”

Some favored coordination with the U.S. government, while others did not.

“Companies should consider notifying governments in advance of outing them. Responsible security researchers notify companies before exposing zero-days,” answered Bruce McConnell, a distinguished fellow at the Stimson Center.

Companies should “of course” disclose, said Mark Weatherford, chief strategy officer at the National Cybersecurity Center.

“What is the alternative? Ignore it and let it continue? Call the FBI and take the time to run that gantlet and try to find someone who will take you seriously?” Weatherford asked. “We should expect that everyone is playing off the same sheet of music, and it would be the height of hypocrisy to expect companies to treat this activity any differently than if it was a criminal or nation-state actor.”

Katie Moussouris, CEO of Luta Security, had a novel reason for answering “yes.”

“If private companies uncover the U.S. government’s own cyber offense operations, the public should know about it, if for no other reason than to know how much our cyber offense capabilities need to be much stealthier to evade our adversaries,” she replied.

Opposed to disclosure

One survey respondent who answered “no” didn’t want to prescribe what companies should do, given the potential harm of all the options.

“This debate brings up a question of where an organization's loyalties ultimately lie: to their stakeholders, to the global cybersecurity community, or to their country of origin?” asked Katie Nickels, director of intelligence at Red Canary. “Each organization has to make a decision about where their loyalties lie, and it's not an easy one to make.”

And there’s overlap among those who answered “no” and those who answered “yes,” with some offering caveats.

“It depends. If the effort is in support of legitimate foreign objectives, then ‘no,’” said Paul Rosenzweig, principal at Red Branch Consulting. “If it is some plausible form of misconduct, then ‘yes.’”

Answered Peter Swire, who teaches privacy and cybersecurity at Georgia Tech and is senior counsel at Alston & Bird: “Good judgment is required here. Suppose the U.S. recently was assisting Ukraine to mask its counteroffensive near Kharkiv. I hope that companies based in the U.S. and allied countries would avoid disclosures that would help the Russians.”

Unable to answer

A handful of Network members found the framing of the question problematic, and told us they opted not to answer one way or another.

“It depends on what the organization is securing and for whom,” said Lesley Carhart, director of incident response for North America at Dragos. “Is there a potential risk to civilian lives and infrastructure? How thorough is the researcher's understanding of what is happening and of their accurate attribution? This is one of those cases where we desperately need to educate people better on making ethical decisions in cybersecurity and understanding the benefits and limitations of threat intelligence.”

As the many caveats above suggest, even when some experts answered “yes” or “no,” they found it difficult to do so. Here’s Joe Hall, distinguished technologist at the Internet Society (who ultimately answered “yes,” emphasizing disclosure for “the benefit of defenders everywhere”):

@timstarks dang, totally rethought my 202 response throughout the day. It was a thinker! — Dr. Joseph Lorenzo Hall (@JoeBeOne) September 13, 2022

The network

Here are some more responses to The Network survey question on whether U.S. organizations should publicly expose hacking and disinformation campaigns, regardless of suspected U.S. involvement:

YES: “The issue, and potential danger, with U.S. companies deciding to turn a blind eye to disinfo and hacking operations they believe could be from the U.S. is they can't be sure exactly who is behind any attack. Detected attacks could be from some other bad actor they end up covering up for.” — Shane Huntley, who directs Google’s Threat Analysis Group

YES, but: “... only after going through a process similar to what traditional media goes through to assess whether to publish classified or other sensitive government information. Talk to the administration and give them an opportunity to make the case for why publication would damage national security. Then make an informed and considered decision balancing those arguments and the public interest in the information.” — Suzanne Spaulding, senior adviser for homeland security as part of the International Security Program at the Center for Strategic and International Studies

NO: “If you’re part of a U.S.-based company and discover U.S. government hacking operations, it’s a tough decision on whether you should expose those operations. If the U.S. government is working to counter an operation by hacking a U.S. adversary (nation-state or criminal group) that is focused on attacking U.S. companies for economic gain, what would [be] the point of exposing that operation? Likely just marketing for the company. Not all operations should be exposed.” — Tony Cole, grant advisory board member at the Gula Tech Foundation

YES: “It’s incredibly difficult to collect public information about hacking (including state-sponsored intrusions), so releasing information about these campaigns enables researchers, insurers, cybersecurity experts, and others to learn from them and understand how the threat landscape is shifting and how to do a better job of defending against emerging threats. Equally if not more important, it helps foster trust between companies and their customers if those customers believe that companies are forthcoming about intrusions and disinformation even when those operations originate from the U.S. government.” — Josephine Wolff, associate professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University

The keys

Prosecutors in Bosnia investigate apparent ransomware aimed at parliament

The website for the parliament has been down for two weeks, with local media outlets reporting that some lawmakers had been told not to turn on their computers, the Record’s Jonathan Greig reports. Nezavisne reported that the attack was ransomware, and the Sarajevo Times reported that the parliament’s main server was turned off after the cyberattack.

The case was referred to prosecutors a couple days ago, Greig reports. “The prosecutor who was on duty on that date gave necessary instructions to officers in law enforcement agencies and the aim is to clarify all the circumstances of the case and to protect the cybersecurity of the IT system and the capacities of the institutions” of the country, said Boris Grubešić, a spokesman for the prosecutor’s office.

Uber releases more details about breach

Last week’s hack of internal systems at the ride-hailing giant was probably a result of a hacker buying an Uber contractor’s stolen password after their phone was infected with malware, the company said. The hacker was able to get around the company’s multi-factor authentication after the hacker repeatedly requested approval. Once the hacker got in, they were able to access other employees’ accounts, which gave them more power in apps like Slack, the company said. The hacker is also believed to be linked to the Lapsus$ hacking group, which has been responsible for a string of high-profile hacks on major firms, the company said.

“Our existing security monitoring processes allowed our teams to quickly identify the issue and move to respond,” Uber said. “Our top priorities were to make sure the attacker no longer had access to our systems; to ensure user data was secure and that Uber services were not affected; and then to investigate the scope and impact of the incident.” The hacker downloaded some Slack messages and finance data, the company said, and they were also able to view the company’s dashboard for software vulnerabilities reported by researchers. But “any bug reports the attacker was able to access have been remediated,” it said.

Global cyberspace

Cyber insecurity

Securing the ballot

Daybook

Juliane Gallina , the associate deputy director of the CIA’s digital innovation directorate, , the associate deputy director of the CIA’s digital innovation directorate, speaks at an INSA event today at 9 a.m.

The RH-ISAC hosts its cyber intelligence summit today and Wednesday in Plano, Tex.

Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the co-chairs of Cyberspace Solarium Commission 2.0, at a Foundation for Defense of Democracies Your newsletter host moderates a discussion with Sen.(I-Maine) and Rep.(R-Wis.), the co-chairs of Cyberspace Solarium Commission 2.0, at a Foundation for Defense of Democracies event Wednesday at 8:30 a.m.

Emily Goldman , the director of the U.S. Cyber Command / National Security Agency Combined Action Group, , the director of the U.S. Cyber Command / National Security Agency Combined Action Group, speaks at a Carnegie Endowment event on Wednesday at 10 a.m.

The Senate Intelligence Committee holds a hearing on the National Counterintelligence and Security Center, and protecting U.S. innovation Wednesday at 2:30 p.m.

