Welcome to The Cybersecurity 202! A chap yesterday walked in behind me as I held a door open, whereupon he convincingly made me think that I had somehow bashed his head with that door. At first I got all worried that I’d legit hurt someone, but he let me in on the ruse very quickly. I’m gonna say: Good prank.
Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.
Below: TikTok’s CEO speaks with The Post about the company’s plan to fight calls to ban the app, and two U.S. agencies say they will move to tighten election security ahead of 2024. First:
The Russia-Ukraine conflict is nearing its first anniversary, so it’s time to take stock of cyber’s role
Nearly a year into Russia’s conflict with Ukraine, the world has learned much about both the capabilities and limits of hacking in wartime.
Feb. 24 marks the first anniversary of the Russian invasion of Ukraine, a war punctuated by cyberattacks from its onset to today. “Importantly, this marks the first time that cyber operations have played such a prominent role in a world conflict,” reads a joint one-year analysis from three divisions of Google out today.
It’s a conflict that shows little sign of ending anytime soon. But the anniversary also offers a moment to take stock of what’s transpired, and what it means for the rest of the world.
Lessons learned
Much of the early reaction to the war on the cyber front was experts scratching their heads about why there weren’t as many significant cyberattacks as expected. But there have been some significant attacks, with an early attack on U.S. satellite company Viasat disrupting communications.
But other than that attack, much of Russia’s cyberspace assault has had little impact, said Dmitri Alperovitch, executive chair of the Silverado Policy Accelerator, a think tank.
“For cyber to be effective on a battlefield, it has to be deeply integrated into conventional military plans,” Alperovitch told me. “They’ve utterly failed in achieving any tactical or strategic successes, Viasat aside, which actually was a combined arms operation with significant effects.”
Originally, there were fears that Russia’s cyberattacks would extend to other nations, too, such as Ukrainian allies. “I think all of us were surprised, somewhat, that there have not been more significant attacks outside of Ukraine,” Jen Easterly, director of the Cybersecurity and Infrastructure Agency, said Wednesday.
It’s not that other countries got off scot-free. Easterly noted that there was at least one cyberattack that spilled over into Poland, which is a member of NATO and the European Union.
Google saw a big jump in phishing attacks against Poland in 2022, led by a Russia-affiliated hacking group commonly known as Ghostwriter. And while the war in Ukraine might not be the only factor, Russia-based phishing attacks against NATO countries jumped 300 percent from 2020 to 2022, Google found.
Easterly — more from her later on election security further down in The Cybersecurity 202 — attributed the relative lack of attacks outside Ukraine to several factors:
- CISA’s “Shields Up” awareness campaign warned about the threat of spillover attacks.
- Russia was overconfident that it was going to “cakewalk to Kyiv.”
- Russia was also concerned about potential escalation, she said.
After the early quick tempo of cyberattacks in Ukraine and attempts to launch destructive attacks that would wipe out computers in parts of the country like its electricity industry, Russia’s effort “began to drift a bit,” said Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter Team.
It’s possible that Russia was ineffective because of overconfidence that led to poorly planned attacks, he said. Also, Ukraine hardened its defenses after years of Russian cyberattacks before the invasion, he said.
And attacks against Ukraine have also been more plentiful than the public knows, Alperovitch said.
“The Ukrainians have done an amazing job keeping much of it under wraps,” he said. “Not all the attacks have been successful, but even those that have been successful have been in many cases kept under wraps, and the Ukrainians in general obviously do not want to give Russia a propaganda victory by admitting that some of their attacks had succeeded.”
In the future …
The war is not over. It’s possible that Russia could still ratchet up its cyberattacks, according to cybersecurity experts and Google.
“We assess with high confidence that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance — real or perceived — toward Ukraine (e.g., troop losses, new foreign commitments to provide political or military support, etc.),” its report reads. “These attacks will primarily target Ukraine but increasingly expand to include NATO partners.”
The conflict has also offered lessons for Ukraine and other countries. The war has led to the “realization that when the shooting starts, old-fashioned warfare may be more effective than cyberwarfare,” O’Brien said. Leaders in Ukraine and on the international front have plenty to worry about beyond cyberspace, where Ukraine has spent time and resources countering cyberattacks.
Ukraine built up its ability to withstand cyberattacks and make them harder to carry out, which is especially important at the beginning of a war, said Mark Savchuk, a member of the Ukrainian Volunteer Journalists Initiative that seeks to communicate about Ukraine with Western media outlets. That’s a lesson for the future as well, he told me.
“It wasn’t the tanks that rolled in first,” said Savchuk, who has worked in the cybersecurity field. “It was the cybersecurity hacks that came first and then came the war.”
Countries around the world can take still other lessons from the cyber dimension of the Russia-Ukraine war, Alperovitch said.
“In future conflicts, powers that integrate cyber directly with electronic warfare with kinetic strikes with military intelligence collection are the ones that are going to reap the benefits of this tool,” he said.
But some aspects of the Russia-Ukraine conflict have little applicability elsewhere. For example, some nations integrate their weaponry and network connectivity, but neither Russia nor Ukraine do, he said.
“That will not necessarily be true in future conflicts, and particularly if there’s going to be conflict between the U.S. and China,” he said. “That will present unique opportunities to cyber for disruption and potentially even disabling of critical offensive capabilities, at least in the opening stages of conflict. And maybe even throughout.”
The keys
U.S. to improve election security ahead of 2024
Two federal agencies will expand, refine or debut security initiatives for the 2024 elections, officials said Wednesday.
CISA Director Jen Easterly and Election Assistance Commission Vice Chair Christy McCormick stood alongside state and local leaders in charge of running elections, following a closed-door meeting of the Election Infrastructure Sector Coordinating Council, where members discussed how to improve election security.
Easterly talked to reporters about making better use of existing programs:
- Relying more on state and regional CISA officials to provide a variety of election security services, like field visits to provide cyber assessments, and better explaining how its services are prioritized to fit the size of election jurisdictions.
- Moving as many offices as possible to the more secure dotgov domains.
- Distributing funds from CISA grant programs.
- Expanding initiatives like the Joint Cyber Defense Collaborative information-sharing program and promoting CISA’s voluntary cybersecurity performance goals for the election sector.
McCormick talked about a few new programs that could play a role in the 2024 elections:
- Updated voluntary equipment security guidelines.
- Penetration testing to search for weaknesses in all voting systems submitted to the commission.
- A testing and certification program for e-poll books and other nonvoting election technology.
New threats are likely to emerge in the 2024 elections. “Even though a landscape may change, the goal is still the same, to protect the integrity and security of our elections,” said Tahesha Way, president of the National Association of Secretaries of State.
TikTok’s CEO is one of Washington’s least trusted executives. Now he’s fighting back.
Shou Zi Chew, the chief executive of one of the world’s most popular apps, has been virtually silent for months as bipartisan members of Congress and state governors push to ban TikTok, saying its ties to China make it a national security threat.
But now, while preparing to face Congress over the site’s influence in March, Chew said that he is ready to persuade lawmakers not to throw it away completely — especially because a majority of them have never actually used the app themselves.
“We have to have tough conversations on: Who is using it now? What kind of value does it bring to them? What does it mean if we just, like, rip it out of their hands?” Chew said Tuesday during an exclusive interview with The Washington Post’s Drew Harwell.
“I don’t take this conversation of ‘let’s just ban TikTok’ very lightly. … I don’t think it’s a trivial question. I don’t think it should be something that’s decided, you know, in 280 characters,” he added, referring to recent tweets about the app’s alleged threat.
On Tuesday, Chew met with Sen. Michael Bennet (D-Colo.), a member of the Senate Intelligence Committee who called for TikTok to be removed from app stores earlier this month. His visit was likely an attempt to tamp down concerns that the app posed a risk to data privacy and censorship, given China’s authoritarian style of online surveillance and media control.
However, following their meeting, Bennet said that he remained unconvinced, arguing that TikTok was “an unacceptable risk to U.S. national security” and threatened a “poisonous influence” on American teens.
Still, Chew argues that some critics’ anxieties about online data mining or teenage use relate to bigger issues that should be resolved by industry-wide policy, rather than single-app ban.
Chat room
Your Cybersecurity 202 anchor, Tim Starks, took to Twitter on Wednesday to ask this weeks most burning question: Is the Chinese surveillance balloon a cyber story?
What do cyber folk think of the Chinese (alleged) spy balloon stuff? Is it a CYBER story? Please explain why or why not.
— Tim Starks (@timstarks) February 15, 2023
The resounding answer is “well no, but …” Here’s what some notable experts in cyberspace had to say:
It’s an intel story, which has cyber elements, but is not exclusively cyber elements.
— Megan Stifel (@MeganStifel) February 15, 2023
Not a cyber story, but the increase in space based comms allows for a dramatic expansion of the means of data collection. These communications are vulnerable to cyber.
— Cyber Thunder Run (@drbvaler) February 15, 2023
Totally an intel and military story. We need more info about the SIGINT side of what it was doing to tell if it has a cyber element -- but probably minimal
— Paul Rosenzweig (@RosenzweigP@thecooltable.wtf) (@RosenzweigP) February 15, 2023
I wouldn't say it is a cyber story yet but rather will be.
— Justin Fier (@JustinFier) February 15, 2023
Government scan
Securing the ballot
Industry report
Cyber insecurity
Encryption wars
Daybook
- The Cyber Threat Alliance holds a webinar about the importance of mandatory cyberattack incident reporting requirements today at 12 p.m.
- The Future of Privacy Forum holds its 13th annual privacy papers for policymakers summit and awards ceremony today at 5:30 p.m.
- The National Association of State Election Directors holds its winter conference in D.C. today through Saturday.
- The National Association of Secretaries of State holds its winter conference today through Saturday
- The Intelligence and National Security Alliance holds its annual achievement awards today at 6 p.m. in Arlington, Va.
Secure log off
Today, nobody showed up to my 8.15am class.
— Joseph Mullins (@josephmullins) February 14, 2023
0 students of about 40. Sitting in the empty room, I email them, trying to disguise my hurt feelings.
2 mins later, I get a reply: "Professor, we think you might be in the wrong room." So anyway off I go to live in a hole forever.
Thanks for reading. See you tomorrow.