By Joe Fay
U.S. cybersecurity officials point finger at “lying, cheating, stealing” China, while another cybersecurity leader speaks out about “boring” training. E.U. hits fast forward on new legislation. Trend Micro unveils Rapture ransomware while Microsoft unveils rusty Windows.
NSA Cybersecurity Director Points Finger AI, Russia and China At RSA
U.S. National Security Agency (NSA) cybersecurity director Rob Joyce highlighted the threat from AI, Russia and China in a presentation at RSA last week. Joyce said that Russian-based actors were actively attacking Ukraine, through disruption of both civil society and the war effort, as well as intelligence gathering. Attacks on the West in general were broadly focused on intelligence gathering. China was the most active cyber threat to the U.S., he said, and was targeting key sectors such as biotech and AI. But AI itself was a threat, with both nation states and criminals using ChatGPT and similar tools to refine their attacks. “Buckle up,” he advised.
FBI Chief Says It’s Outgunned 50 To 1 By China in Cyber Budget Plea
Appearing before a U.S. house committee last week, Federal Bureau of Investigation (FBI) director Christopher Wray also took aim at China, claiming Beijing is fielding 50 hackers for every one FBI cyber agent or intelligence analyst. He told the House Appropriations Committee's subcommittee on Commerce, Justice, Science, and Related Agencies, that China had a multi-pronged strategy to “lie, cheat, and steal their way to surpassing us as the global superpower in cyber". He asked the committee for another $63 million in budget, and said the agency was looking to add 192 more cyber positions, which it would place “close to the victims that need us”.
Why Are We in A Cyber Skills Hole? NCA Director Suggests Cybersecurity Training Is “Boring”
The executive director of the National Cybersecurity Alliance (NCA) told the RSA conference last week that workplace cybersecurity training was failing to deliver dividends, because course designers were too focused on box checking, forgetting their students are humans. Lisa Plaggmeier said workers are being hit by an “epidemic of boringness” and leaders should focus on engagement and stimulating students’ curiosity. “From a user experience perspective, it’s awful.”
Brussels Sees Movement on Cyber Resilience Log Jam, Solidarity And Certification
The E.U. has a busy week around cybersecurity. The proposed Cyber Resilience Act has been rewritten to clarify how devices and products are classified, and updated and patched. There have been concerns the act could pile undue risk and liability onto open-source developers. The E.C. meanwhile adopted a proposal for a EU Cyber Solidarity Act to strengthen cybersecurity capacities and skills across Europe. It proposed an amendment to the existing Cybersecurity Act to enable future “certification” schemes for managed security services.
Google Launches Authenticator Cloud Backups – With Added Visibility
Google has promised to bring end-to-end encryption to Authenticator Cloud backups – but not just yet. Google launched cloud backups for its Authenticator service last week, allowing users to guard against the loss of mobile devices by backing up 2FA tokens to the cloud. But researchers at Mysk promptly warned that the data was not end to end encrypted during upload and could be accessed by unauthorized users. They advised “don’t turn it on”. Bleeping Computer reported that the company acknowledged the situation, but said it would offer E2E on the service in the future. The decision not to deploy encryption from the outset was because Google was mindful of the possibility of customers locking themselves out of their own data.
Researchers Give New Ransomware Rapturous Welcome
Researchers at Trend Micro have detected a new ransomware family, dubbed Rapture, that targets victims using a stripped down approach that leaves a “minimal footprint”. The researchers said they first detected the malware hitting victims in March and April. It uses a similar RSA key configuration to the Paradise ransomware strain, and, like its forbear, requires a .Net 4.0 framework to execute. Their analysis implies that the code is downloaded and executed in memory.
Microsoft is rewriting key Windows libraries in Rust as it looks to better secure the platform, the vendor’s director of operating system security for Windows told a conference last week. David Weston said Windows would be booting with Rust in the kernel in weeks or months. Encouraging a switch to memory safe languages like Rust is a key element of the White House Cybersecurity strategy, with officials saying this would eliminate 70% of vulnerabilities.