A newsletter briefing on cybersecurity news and policy.
with research by Aaron Schaffer
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! Social media being what it is, you never know what will pop up in your feeds. So here’s a baby “tank pony” protecting its sedated parent.
Below: The Office of Management and Budget issues a memo for agencies to catalogue quantum-vulnerable systems, and Meta fires allegedly malicious insiders. First:
The collapse of major cryptocurrency exchange FTX and loss of between $1 billion and $2 billion — a significant amount of which hackers may have stolen — has been huge news over the past week. It makes one wonder about the security of cryptocurrency, or even online financial security in general.
But, as they say in “The Hitchhiker’s Guide to the Galaxy,” don’t panic. That’s what Phil Venables, chief information security officer on Google Cloud, and Tom Robinson, founder and chief scientist at blockchain analytics firm Elliptic, told me at a Washington Post Live event focused on protecting one’s money and data online.
It’s not that there aren’t significant security challenges in protecting money online, they acknowledged. But both espoused a degree of optimism, arguing that we all might be just fine — or even better off in some ways — in a more digitized economy in the long term.
The FTX hack
As of last weekend, Elliptic suspected $477 million had been stolen from FTX, one of the world’s largest cryptocurrency exchanges, before it filed for bankruptcy.
“On Friday evening, we noticed some large crypto transactions out of FTX’s wallet, and they began to exhibit some of the characteristics of what we see when a large theft has happened, when a hack has happened,” Robinson told me.
FTX’s security woes have spilled out in court and elsewhere. “Unacceptable management practices included the use of an unsecured group email account as the root user to access confidential private keys and critically sensitive data for the FTX Group companies around the world,” new CEO John Ray III wrote in a bankruptcy filing.
What happened at FTX is sure to have a ripple effect in consumer confidence in crypto, Robinson said, even if he doesn’t believe it should.
“I think this is a big hit for the cryptocurrency industry, and it will take a long time to recover,” he said. “But, personally, I still have the same confidence about the underlying technology and its potential to revolutionize finance. We have been through instances like this in the past. I think the perception with the industry is that a lot of the bad actors had been cleared out of the industry, but obviously the events last week show that that’s not entirely the case.”
The digitization of the economy generally has brought some security improvements, Venables said.
“I think it’s been great for convenience, and in many respects, it’s also been great for security, because some of the online mechanisms, despite some of the challenges of online security, are actually probably more secure than some of the old previous, more kind of manual experiences,” he said, citing features like alerts that tell bank customers when their accounts make a transaction above a certain threshold.
.@philvenables says, “With all of my bank accounts and credit cards and payments is make sure I get an alert when some transaction happens above a certain threshold… Most banks… provide these capabilities… if they don’t that’s probably something you should question.”#PostLive pic.twitter.com/FMb3gYp6vH
Living our lives more online doesn’t necessarily mean more data breaches and hacks, said Venables, calling himself a “short-term pessimist, long-term optimist.”
On the other hand, new doesn’t equal better. Take blockchain bridges, which allow someone to move crypto assets from one blockchain to another. Funds are stored in cryptocurrency wallets when they’re sent through bridges.
Because it’s an “immature” technology, hackers have found plenty of bugs to exploit and steal billions of dollars from them, Robinson said.
“We’ve seen a bit of a pivot of cybercriminality away from things such as ransomware toward exploiting the crypto space, and again, I think that’s just because of the amounts of money that are hanging around it in wallets out there and there for the taking if they can work out how to exploit that,” Robinson said.
Different nations are making use of cryptocurrencies in different ways for illicit aims, Robinson said.
.@tomrobin tells @timstarks: “Some militant groups in Russia controlled areas of Ukraine are using crypto for fundraising. This was actually done by Ukraine as well early on in the conflict.” #PostLive pic.twitter.com/zJsPKAeAL9
To better protect citizens’ data online, governments need to secure the data they hold for public services, Venables said.
Governments also need to serve as messengers for good security, such as advocating for multi-factor authentication, and they need to create mechanisms for sharing information with the private sector, he said. And in Venables’s view, those are all things the U.S. government has been doing better all the time.
Crypto needs more regulations, Robinson said, and legislation to establish regulatory frameworks. While there’s been some cracking down on illicit finance, the biggest gap is in consumer protection, something the European Union is addressing with its forthcoming regulations, he said.
“If they’re going to be effective, there needs to be similar regulations in place globally, because what we’re seeing in a lot of cases is crypto businesses using regulatory arbitrage to base themselves in a jurisdiction where there is relatively little regulation but then offer their services globally,” Robinson said.
Another big problem?
“I think you need to make it difficult for the criminals to be able to cash out,” Robinson said. “I think there’s been a lot of progress in this area over the past decade, but these funds are being stolen because they’re able to convert the crypto back into fiat currency at some point and therefore profit from their crimes.”
The Biden administration has been taking a number of steps to tackle illicit use of crypto, such as sanctioning a cryptocurrency mixer that it says has been used to launder billions and forming a global alliance to counter ransomware.
The Office of Management and Budget is directing federal agencies in a new memo to list the systems they have that use types of encryption that quantum computers are expected to be able to crack in the coming years, according to a copy of the memo exclusively obtained by The Cybersecurity 202. The memo, which OMB is releasing today, directs agencies to give CISA and National Cyber Director Chris Inglis’s office a prioritized list of systems by May 4 and update it annually until 2035.
“We’re going to learn a lot,” Chris DeRusha, the federal chief information security officer and deputy national cyber director, told The Cybersecurity 202. “The first major deadline in the memo is May 2023, so not a lot of time for agencies to do their first analysis and get their inventories back to us.”
“Once we have this data it will enable us to have smart conversations with them, about what they’ve learned, where there is common hardware and software across federal government environments that we can take an enterprise approach to addressing, versus an agency-by-agency approach,” said DeRusha, who will lead a new “cryptographic migration working group,” according to the memo. “These are the things I’m excited about with this exercise. That’s the ‘new’ here, this is government really leading the charge.”
The employees and contractors — more than two dozen in all — were fired over the last year amid a long internal investigation at Meta, the Wall Street Journal’s Kirsten Grind and Robert McMillan report. Some workers at Meta allegedly accepted bribes from hackers who wanted access to accounts, they report.
“Some of those fired were contractors who worked as security guards stationed at Meta facilities and were given access to the Facebook parent’s internal mechanism for employees to help users having trouble with their accounts,” they write, citing documents and people familiar with the matter. “The mechanism, known internally as ‘Oops,’ has existed since Facebook’s early years as a means for employees to help users they know who have forgotten their passwords or emails, or had their accounts taken over by hackers,” they write.
Meta spokesman Andy Stone told the Wall Street Journal that “individuals selling fraudulent services are always targeting online platforms, including ours, and adapting their tactics in response to the detection methods that are commonly used across the industry,” adding that Meta “will keep taking appropriate action against those involved in these kinds of schemes.”
A bipartisan group of 33 state attorneys general told the Federal Trade Commission that private firms’ practices of collection of location data, biometric data and medical data poses risks to consumers, and that the FTC should look to some states that require that businesses limit the personal data that they collect. The attorneys general wrote that they’re “concerned about the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized.”
The letter came in the final days before an agency deadline for comments on an advance notice of proposed rulemaking for commercial surveillance and data security rules.
Google wins Russian botnet hack suit and attorney sanctions (Law360)
Amazon poaches top National Cyber Security Centre exec Levy (Sky News)
Texas signals potential changes to cybersecurity policies (StateScoop)
Today’s third @washingtonpost TikTok features @elonmusk’s ultimatum https://t.co/InMzcOpDQS pic.twitter.com/2ZRCTIDR9Y
Thanks for reading. See you next week.