Good morning, this is The Smoke Eater for Sunday, May 16, 2021, and that's the way of the world.
Quick Hit
* A major policy shift * Ryan Lizza’s one-trick pony * The poorly constructed WOPR * The first rule of Cyber Fight Club * Deep pocketed state-media *
NOTE: This week's Smoke Eater is a bit savage and nerdy, but mostly devoid of cliches other journos seem content with using in every story about cyber security. Just remember that The Smoker Eater is mobile friendly, totally free and supported by super awesome readers. For the love of our machine overlords, be super awesome and tip me on Ko-Fi, find me on Venmo, or Paypal, or subscribe to my Patreon!
Aviator Time
After a string of increasingly brazen data breaches, leaks, and ransomware attacks over the past several months, President Joe Biden issued an executive order on May 12 that his administration hopes will create new standards for cyber security.
The new EO is structured so as to create new software standards for the federal government. The Commerce Department will set up guidelines for companies that do businesses with the government, and the Department of Homeland Security will create a Cyber Safety Review Board -- modeled after the National Transportation Safety Administration -- to investigate serious cyber incidents that will be led by public and private entities based on each investigation.
Among several other requirements, the abnormally long, 34-page order directs federal agencies to use additional user authentication measures beyond passwords and location data (like 2FA), report serious cyber incidents within three days, and requires contractors to report breaches to the Office of Management and Budget, and the DHS' Cyber Infrastructure Security Agency.The hope is that the new rules will spur better cyber hygiene within the federal workforce, and in private companies.
Because the federal government has major contracts with the biggest players in the IT, telecom, software spaces (Adobe, Alphabet, Amazon, Apple, AT&T, Cisco, Dell, HPe IBM, Microsoft, etc.), big tech businesses don't really a choice. An EO doesn't have the same power as congressional legislation, but this affects so many companies with government contracts that it'll be difficult to unwind.
There weren't a lot of stories about Biden's E.O. Thursday morning. Neither the Washington Post nor the New York Times had anything on their front pages, let alone above the fold in their respective print editions. WaPo had two-ish stories, a detailed one from Ellen Nakashima that was pushed shortly after the EO went out on Wednesday night, and a brief in their Cybersecurity 202 newsletter Thursday. The NYTimes had two-ish stories as well, one buried beneath a mountain of pearl clutching gossip in the politics section, and another on the the rising threat of cyber attacks that ran in the climate section (and it didn't mention the E.O. or climate change). There was no point in checking Politico as Ryan Lizza seems determined to ride his one-trick pony through the apocalyptic ruins of Trumpland.
The Verge had a summary that told readers to see the White House Fact Sheet. Motherboard, for all its paranoid techno-Bible thumping, didn't even mention the EO in its write up of Biden's speech about the Colonial Pipeline breach (though it did run a story about someone named "Buttfucker 3000" in a Michigan court). TechCrunch didn't cover it either; they all had several stories on Elon Musk.
Nobody seems to be talking about the administration's policy response to the rising number of serious cyber incidents -- which is (to put it simply) a big fucking deal. Cyber is only getting a passive mention on the Sunday shows right now: politicians facing contentious reelections are boilerplate comments about the need for more infrastructure spending without acknowledging the truly pathetic state of broadband in the US, or how increasing connectivity requires increasing security. Most mastheads' reporting has centered on the Colonial Pipeline breach itself, the Acela Corridor's rising gas prices, whether company's should pay a ransom for stolen data, the hacking group's amusing apology for causing a clusterfuck, and some brain dead anecdotes about incredibly stupid people filling up trash bags with gasoline.
"Let's Play Global Thermonuclear War."
There hasn't been any serious policy moves on cyber security since the Reagan administration. And that only happened because Reagan was (arguably) a bit senile.
After seeing "War Games," the classic 1983 Disney movie about a kid who stumbles through the backdoor of a Pentagon computer with control of the US nuclear arsenal, a (justifiably) paranoid Regan asked members of congress, the Joints Chiefs of Staff, and a handful of advisers to discuss the plausibility of the film. Gen. John W. Vessey Jr., then-Chairman of the Joint Chiefs came back a week later and said, "Mr. President, the problem is much worse than you think." About a year later, on September 17, 1984, NSDD-145, the "National Policy on Telecommunications and Automated Information Systems Security," was released. It warned that the personal computers that were just starting to hit the commercial market were, "highly susceptible to interception," and that hostile state and non-state assholes were already breaking into networks.
Coincidentally, one of the film's consultants, Willis Ware, warned about the possibility of network breaches in 1967. One of Ware's close friends, Donald Latham, the liaison between Pentagon and the NSA, was tasked with writing the bulk of NSDD-145. Both Ware and Latham knew the NSA had been poking around the the Soviet Union and China for years because they'd both worked at the NSA as analysts.
BONUS: Two years after NSDD-145, Cliff Stoll, a shaggy astronomer at Berkley, began investigating a $.75 computer error and ended up uncovering a Soviet espionage operation -- the first known/documented data breach (or "hack").
NSDD-145 authorized the NSA to make policies on protecting unclassified information, effectively transferring control of government document standards to the NSA. Civil rights and liberties groups were pissed, the order was rescinded a few years later, and replaced by National Security Directive 42 in 1990. Federal and military officials largely ignored warnings from computer nerds for the next 18 years until the Bush-41 administration scribbled out Homeland Security Presidential Directive 24, which further strengthened the federal rules on data storage.
All of this makes you wonder what would've have happened if The Gipper watched "Tron."
In 2012, the Obama administration pushed for watered down cybersecurity bill that governed critical infrastructure systems. The bill was ultimately murdered on the Senate floor during a Republican-led filibuster following a months-long lobbying effort by short-sighted cash fetishists at the US Chamber of Commerce who insisted the voluntary standards were overreach. Despite the urging of top national defense officials, and a rare op-ed from President Obama in the Wall Street Journal, conservatives shat upon the bill, calling it too burdensome for private industries who didn't feel the government should be in a position to tell businesses lock their fucking doors.
Big tech companies complained about a provision that would've allowed information sharing between private companies and federal agencies on past, present, and potential data breaches, arguing it was serious breach of user privacy. Even Apple -- which still attempting to whitewash poor security practices that culminated in the leaking of hundreds of nude photos from mostly female celebrities -- shamelessly argued, "collaboration should not come at the expense of users' privacy."
Whether or not big tech was piggy backing onto the arguments from civil liberties groups and privacy advocates in an effort to continue hiding their own data breaches and endangering quarterly profits is moot. The information sharing provision (the Cybersecurity Information Sharing Act) was wrapped into the 2016 spending omnibus and signed into law with only a whimper from privacy advocates and civil libertarians.
Cyber security advocates have been warning attacks will only get worse. China steals the intellectual property and secrets from governments and businesses to produce their own knock-offs as a matter of public policy. The US and Russia proved its possible to remotely attack critical infrastructure systems with the Stuxnet virus, and the 2015 shutdown of the Ukrainian power grid, respectively. The OMB breach saw the doxxing of the US federal workforce, the Equifax breach saw the personal information of half of America dumped onto the dark web, and the NSA's hubris allowed WanaCry and NotPetya to wreak havoc on banks and hospitals all over the world. SolarWinds proved how susceptible everyone and everything is to a compromised supply chain.
On Friday, Bleeping Computer reported that DarkSide, the group responsible for the Colonial Pipeline attack, went dark after allegedly losing access to their server. At roughly the same time that story dropped, US Army Gen. Paul Nakasone and Mieke Eoyang, the Deputy Assistant Secretary of Defense for Cyber Policy at the Office of the Under Secretary of Defense for Policy were speaking before the House Armed Services Committee's Subcommittee on Cyber, Innovative Technologies, and Information Systems for a hearing titled, "Operations in Cyberspace and building Cyber Capabilities Across the Department of Defense.”
Nakasone noted that the steps taken by the Biden administration (so far) were a "good first step," but the US still needs a "whole of government" approach that includes the private sector and Congress stepping up. Both Eoyang and Nakasone commented that US needs to attract and retain people capable of working in offensive and defensive cyber operations, and that Congress needs to pass policies governing critical infrastructure systems.
Ethically-challenged and self-described Florida Man, Republican Rep. Matt Gaetz, pointed out the obvious when he noted, "the brightest minds" in tech seem less interested in government service and more interested in making (lots) of money from clickbait and shitposts.
In response to questions from former Central Intelligence Agency analyst and Department of Defense official Democratic Rep. Elissa Slotkin, Nakasone noted that elements of the National Guard were being increasingly utilized in cyber defensive strategies to protect things like election security. In a closing comment, Slotkin noted that it was difficult to explain the US' response to cyber attacks to the general public, and encouraged Nakasone to include a "bold" cyber component in the 2022 National Defense Authorization Act.
What wasn't readily apparent in Slotkin's comments were how the US, unlike its contemporaries, is better at carrying out offensive cyber operations because it's not constantly screwing up and getting caught. Stories about preventing breaches don't often get coverage from major media outlets, and the US is reluctant to discuss any clandestine operations.
In a cruel twist of irony, one of the biggest obstacles preventing a Geneva Convention on cyber warfare has been the US. Clandestine services relish their ability act unilaterally in cyberspace, and any rules that could limit their capability to attack, deter, or suveil and adversary -- even if that means adversaries would be (theoretically) incapable of using the same tools and methods -- have quietly been killed in some smoke-filled room near Capitol Hill.
One More Thing...
China's state-run news wire, Xinua, officially registered as a foreign agent, Axios has reported. Data from The Center for Responsive Politics shows China as the second largest spender of operations in the U.S. between 2016 and 2020 after spending almost $175 million. In 2020, they were number one after spending over $54 million: over $50 million went to the US arm of China's state-owned TV outlet, and another $3 million went to the China Daily of Beijing, a state-run news outlet that often reaches out to freelancers like myself. Over the last several years, a number of stringers have worked with Xinua over the last few years because of the crazy rates they're willing to pay. An increasing number of stringers have refused to work for these outlets because, as one colleague recently summarized to me, "they mess with everything you give them and turn it into propaganda."
Last summer Russian state-media outlets made similar overtures to photojournalists covering protests. US-based stringers kept telling them to fuck off, and the Russian state-run media apparatus quietly began funding small, digital-only media operations in major cities. They now dispatch their own people to record video that they can then license out to other US or international broadcasters, or push on social media.
OK, here's a cute critter video: BABY GOATS!
Follow Dominic on Twitter and Instagram.
The Smoke Eater is mobile friendly, ad-free and relies on your tips and subscriptions. It takes a lot of time and energy to put each issue together, so consider tipping me on Ko-Fi, or Venmo, or Paypal, or just subscribe to my Patreon. You can also browse and buy my photos at my website, dominicgwinn.com.
Questions? Comments? Complaints? Shoot me an email or slide into my DMs!