July 16, 2024

The State of the Union was light on cybersecurity

The State of the Union was light on cybersecurity


Welcome to The Cybersecurity 202! No idea if any of this is deserved, but if you like a good scathing music review, here you go.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: U.S. officials link the Chinese spy balloon to a vast aerial surveillance operation, and scammers pose as charities trying to help Turkey and Syria after Monday’s earthquakes. First: 

Biden’s address didn’t directly discuss cybersecurity, but it mentioned related topics

President Biden used his State of the Union address Tuesday evening to discuss some cyber-related topics like online privacy, but he steered clear of addressing cyber directly.

It’s part of a recent trend in the annual speech — which is widely seen as a signal of every White House’s priorities — where the subject usually hasn’t been explicitly mentioned. 

Biden devoted just two paragraphs to online privacy, and largely focused on privacy for children online. “It’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on our kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data the companies collect on all of us,” Biden said in his speech

Those subjects do relate to cybersecurity, as Cliff Steinhauer, director of information security and engagement at the nonprofit National Cybersecurity Alliance, told me: “If you aren’t collecting Social Security numbers, you don’t have to protect Social Security numbers. If you’re not collecting location data, then you don’t have potential location data that you can lose. So, absolutely, it becomes safer not to take that information in the first place because it becomes very difficult to protect it.” 

The presence of some marginally cyber-related material, though, didn’t fully satisfy some cyber experts. They would’ve liked to see some more head-on State of the Union talk on cyber from the president.

“It’s disappointing,” Alex Santos, CEO of the critical infrastructure protection-focused firm Fortress Information Security, told me. “At the same time, [the speech is] arguably a performance and maybe the public isn’t as interested in that issue as some of the headline issues.”

The new chairman of the House Homeland Security Committee was less understanding of the Democratic president’s omission.

“President Biden didn’t so much as utter the word cybersecurity once in his remarks tonight,” said Rep. Mark Green (R-Tenn.) in a news release. “Cyberthreats from criminal actors and nation-state adversaries are a preeminent national security threat of our time. Given the magnitude of the cyberthreat landscape, I strongly believe cybersecurity must be a priority. But this clear void in his speech is nothing new.” 

What the State of the Union said

In his speech, Biden touted the need for privacy, health and safety online, especially for children using social media platforms.

Children are “subject to the platforms’ excessive data collection vacuum, which they use to deliver sensational and harmful content troves of paid advertising,” a fact sheet from the administration reads.

Social media platforms and other digital service providers need to prioritize safety-by-design over profit, Biden said. On the cyber side, the Cybersecurity and Infrastructure Security Agency has similarly been touting safety and security-by-design.

The fact sheet also addressed data collection practices:

  • “Big Tech companies collect huge amounts of data on the things we buy, the websites we visit, and the places we go,” it said. “There should be clear and strict limits on the ability to collect, use, transfer, and maintain our personal data, especially for sensitive data such as geolocation and health information, and the burden must fall on companies — not consumers — to minimize how much information they collect.”

Industry organizations, like the Information Technology Industry Council, and tech advocacy groups, like Fight for the Future, used the occasion of Biden’s speech to call for passage of long-stalled federal privacy legislation. 

Biden also mentioned the need to “crack down on identify fraud by criminal syndicates stealing billions of dollars from the American people.”

And Biden made an allusion to alleged Chinese spying, referencing the balloon the U.S. military shot down over the weekend. But he didn’t mention Chinese hacking and cyberespionage, which experts say pose a significant threat.

“Make no mistake: As we made clear last week, if China threatens our sovereignty, we will act to protect our country,” he said. “And we did.”

What the State of the Union doesn’t say

The recent history of State of the Union mentions of “cyber” is hit-or-miss.

  • Barack Obama mentioned “cyber” in five of his eight addresses.
  • Donald Trump never mentioned it in his State of the Union speeches, although, as with Biden’s speech Tuesday, he talked about some related issues.
  • Biden brought it back in a State of the Union-like speech before a joint session of Congress in 2021. In that speech, he listed “cybersecurity” as one of the “crises of our times,” speaking critically of Russian “cyberattacks on our government” and touching on cybersecurity and education. It was the debut of “cybersecurity” in the context of the joint address.
  • “Cyber” talk departed once more in 2022, with Biden touching on some of the same cyber-adjacent subjects last year that he discussed last night.

Even though this year’s speech didn’t mention cybersecurity, that doesn’t mean the Biden administration is doing nothing on cyber. Nor does the lack of cyber mentions in prior administrations’ State of the Union speeches mean they didn’t do anything on the subject. 

The White House is preparing the forthcoming national cybersecurity strategy, which will lay out a blueprint for approaching cybersecurity — and is set to embrace the role of regulation in boosting America’s cyberdefenses. 

Cybersecurity work by the White House and CISA is important, said Steinhauer, whose organization promotes safe use of technology and partnership between government and industry. (CISA and Steinhauer’s organization partner on initiatives such as National Cybersecurity Awareness Month.)

But the group also talks about creating a culture of security and a culture of privacy, he noted.

“We say it all the time that it starts at the top of the organization,” Steinhauer said. “I would definitely like to see the president talk about that” in a speech like the State of the Union, he said.

  • “He’s got everyone’s attention. He’s going to be the loudest voice,” he said. “What CISA’s doing is great, and what they’re doing is very important, but when you have a president actually reiterating that strategy and reiterating the importance to your everyday citizen, I think that’s super-important.”

Chinese spy balloon is part of a vast aerial surveillance program, U.S. says

U.S. fighter aircraft downed a Chinese spy balloon off the South Carolina coast on Feb. 4. (Video: The Washington Post)

The U.S. intelligence community on Tuesday linked the Chinese spy balloon that was shot down Saturday to a vast surveillance program run by the People’s Liberation Army that has for years collected information on military assets in several countries and areas of strategic interest, Ellen Naskashima, Shane Harris, John Hudson, and Dan Lamothe report for The Washington Post. 

One official acknowledged that while they still are unsure of the size of the balloon fleet, there have been “dozens” of missions since 2018. The balloon that was shot down Saturday is the fifth one to be identified over U.S. territory in recent years. 

Biden directed sensitive sites to be protected from spying, “which was straightforward because we could track the path of the balloon and ensure no sensitive activities or unencrypted communications would be conducted in its vicinity,” National Security Council spokesman John Kirby said. The Biden administration “turned the tables on China and collected against the balloon” to “learn more about China’s capabilities and tradecraft,” Kirby said. 

Some of the balloons have electrooptical sensors or digital cameras that can capture highly precise images, officials said. They also have the ability to transmit radio signals, they said.

Russia is spoofing foreign media

As part of a broader misinformation campaign, the Kremlin is supporting actors that impersonate international media outlets, according to a new study published Tuesday by the European Union’s External Action Service, Bloomberg News reports. 

The operations targeting print and TV media have become more sophisticated since Russia invaded Ukraine nearly a year ago, with magazines in particular seeing their style mimicked to give a sense of legitimacy to the content mostly targeting Ukraine.  

“We have plenty of evidence that Russia is behind coordinated attempts to manipulate public debates in open societies,” E.U. foreign policy chief Josep Borrell said in a speech Tuesday.

The new evidence of information manipulation comes as the “E.U. is struggling to counter Russian disinformation efforts, which officials have said is aimed at undermining the bloc’s unity in supporting Ukraine,” Bloomberg News reports. The report added that the scheme is also intended to distract audiences, deflect blame or direct attention to different topics. 

Cybercriminals have launched an online disaster scam in Turkey, Syria after earthquakes

Less than 24 hours after two massive earthquakes killed more than 11,000 people and injured tens of thousands of people, cybercriminals have begun targeting global efforts to provide aid to victims, according to Bitdefender’s Alina Bizga.

The scam, identified by the Bitdefender Antispam Lab, involves a fake Ukrainian charity foundation seeking money to send to those impacted by the natural disaster, with alleged representatives reaching out to people via email. 

The lab found that a majority of the scam messages were traced back to IP addresses in Pakistan. 

The fake charity, dubbed the Wladimir Foundation, was originally established to target donations to assist those enduring the war in Ukraine. It had been operating as recently as Dec. 29, 2022, according to the lab.

“Fraudsters always try to advantage of individuals’ vulnerabilities and feelings after natural disasters strike, exploiting the empathy of the online community to steal personal info and money,” Bizga writes. “While these insidious acts are nothing new, they can be quite effective in stealing money from unwary and kindhearted individuals.” 

Russian crypto exchange exec pleads guilty to laundering Ryuk ransomware funds (The Record)

Florida state court system, US, EU universities hit by ransomware outbreak (Reuters)

After Hive takedown, could the LockBit ransomware crew be the next to fall? (CyberScoop)

Medusa botnet returns as a Mirai-based variant with ransomware sting (Bleeping Computer)

  • The House Intelligence Committee holds an open meeting with former national security officials on Wednesday at 10 a.m.
  • The Bipartisan Policy Center holds a meeting with experts to discuss cybersecurity risks that companies, governments and individuals will face in 2023 on Monday at 11 a.m. 

Thanks for reading. See you tomorrow.