Security in the digital economy is still in sight


Welcome to The Cybersecurity 202! Social media being what it is, you never know what will pop up in your feeds. So here’s a baby “tank pony” protecting its sedated parent.

Below: The Office of Management and Budget issues a memo for agencies to catalogue quantum-vulnerable systems, and Meta fires allegedly malicious insiders. First: 

Bad news for a major cryptocurrency exchange isn’t all bad for a digitized economy

The collapse of major cryptocurrency exchange FTX and loss of between $1 billion and $2 billion — a significant amount of which hackers may have stolen — has been huge news over the past week. It makes one wonder about the security of cryptocurrency, or even online financial security in general. 

But, as they say in “The Hitchhiker’s Guide to the Galaxy,” don’t panic. That’s what Phil Venables, chief information security officer on Google Cloud, and Tom Robinson, founder and chief scientist at blockchain analytics firm Elliptic, told me at a Washington Post Live event focused on protecting one’s money and data online.

It’s not that there aren’t significant security challenges in protecting money online, they acknowledged. But both espoused a degree of optimism, arguing that we all might be just fine — or even better off in some ways — in a more digitized economy in the long term.

As of last weekend, Elliptic suspected $477 million had been stolen from FTX, one of the world’s largest cryptocurrency exchanges, before it filed for bankruptcy. 

“On Friday evening, we noticed some large crypto transactions out of FTX’s wallet, and they began to exhibit some of the characteristics of what we see when a large theft has happened, when a hack has happened,” Robinson told me.

  • “So, for example, a lot of these assets were sent through decentralized exchanges in order to convert them into other assets, and that’s something we very commonly see with large hacks because the hacker is trying to avoid seizure of the stolen assets.”

FTX’s security woes have spilled out in court and elsewhere. “Unacceptable management practices included the use of an unsecured group email account as the root user to access confidential private keys and critically sensitive data for the FTX Group companies around the world,” new CEO John Ray III wrote in a bankruptcy filing.

Confidence in crypto and online finance in general

What happened at FTX is sure to have a ripple effect in consumer confidence in crypto, Robinson said, even if he doesn’t believe it should.

“I think this is a big hit for the cryptocurrency industry, and it will take a long time to recover,” he said. “But, personally, I still have the same confidence about the underlying technology and its potential to revolutionize finance.  We have been through instances like this in the past. I think the perception with the industry is that a lot of the bad actors had been cleared out of the industry, but obviously the events last week show that that’s not entirely the case.”

The digitization of the economy generally has brought some security improvements, Venables said. 

“I think it’s been great for convenience, and in many respects, it’s also been great for security, because some of the online mechanisms, despite some of the challenges of online security, are actually probably more secure than some of the old previous, more kind of manual experiences,” he said, citing features like alerts that tell bank customers when their accounts make a transaction above a certain threshold.

Living our lives more online doesn’t necessarily mean more data breaches and hacks, said Venables, calling himself a “short-term pessimist, long-term optimist.”

  • Right now, a lot of organizations use online platforms where security has been tacked on afterward, which makes them more vulnerable than the alternative, according to Venables.
  • More and more organizations are in a transition state, moving toward using things that are designed to be secure from the outset, he said.

On the other hand, new doesn’t equal better. Take blockchain bridges, which allow someone to move crypto assets from one blockchain to another. Funds are stored in cryptocurrency wallets when they’re sent through bridges.

Because it’s an “immature” technology, hackers have found plenty of bugs to exploit and steal billions of dollars from them, Robinson said.

“We’ve seen a bit of a pivot of cybercriminality away from things such as ransomware toward exploiting the crypto space, and again, I think that’s just because of the amounts of money that are hanging around it in wallets out there and there for the taking if they can work out how to exploit that,” Robinson said.

How some U.S. adversaries are exploiting crypto

Different nations are making use of cryptocurrencies in different ways for illicit aims, Robinson said.

  • Militant groups in Russia-occupied Ukraine are asking for crypto donations to help their war efforts. Some high-level Kremlin officials are using crypto to bypass banking restrictions, but “on a relatively small scale so far,” he said.
  • Iran has instituted a licensing regime for cryptomining, potentially to evade sanctions. Iran has ample natural resources but can’t do much with it internationally because of trade embargoes. Instead, it can use those resources to generate electricity, then use that electricity to mine cryptocurrency, Robinson said. Iranian hackers even breached a U.S. government agency and installed cryptomining software, although it’s not clear whether financial gain or espionage was the endgame.
  • The North Korean government-linked hackers known as Lazarus Group are behind a lot of the cryptocurrency thefts. “I think they’ve simply identified it as the biggest opportunity out there and so have developed their skills to match that opportunity,” he said.

To better protect citizens’ data online, governments need to secure the data they hold for public services, Venables said.

Governments also need to serve as messengers for good security, such as advocating for multi-factor authentication, and they need to create mechanisms for sharing information with the private sector, he said. And in Venables’s view, those are all things the U.S. government has been doing better all the time.

Crypto needs more regulations, Robinson said, and legislation to establish regulatory frameworks. While there’s been some cracking down on illicit finance, the biggest gap is in consumer protection, something the European Union is addressing with its forthcoming regulations, he said.

“If they’re going to be effective, there needs to be similar regulations in place globally, because what we’re seeing in a lot of cases is crypto businesses using regulatory arbitrage to base themselves in a jurisdiction where there is relatively little regulation but then offer their services globally,” Robinson said.

“I think you need to make it difficult for the criminals to be able to cash out,” Robinson said. “I think there’s been a lot of progress in this area over the past decade, but these funds are being stolen because they’re able to convert the crypto back into fiat currency at some point and therefore profit from their crimes.”

The Biden administration has been taking a number of steps to tackle illicit use of crypto, such as sanctioning a cryptocurrency mixer that it says has been used to launder billions and  forming a global alliance to counter ransomware.

Federal government tells agencies to catalogue systems vulnerable to quantum attacks

The Office of Management and Budget is directing federal agencies in a new memo to list the systems they have that use types of encryption that quantum computers are expected to be able to crack in the coming years, according to a copy of the memo exclusively obtained by The Cybersecurity 202. The memo, which OMB is releasing today, directs agencies to give CISA and National Cyber Director Chris Inglis’s office a prioritized list of systems by May 4 and update it annually until 2035.

“We’re going to learn a lot,” Chris DeRusha, the federal chief information security officer and deputy national cyber director, told The Cybersecurity 202. “The first major deadline in the memo is May 2023, so not a lot of time for agencies to do their first analysis and get their inventories back to us.” 

“Once we have this data it will enable us to have smart conversations with them, about what they’ve learned, where there is common hardware and software across federal government environments that we can take an enterprise approach to addressing, versus an agency-by-agency approach,” said DeRusha, who will lead a new “cryptographic migration working group,” according to the memo. “These are the things I’m excited about with this exercise. That’s the ‘new’ here, this is government really leading the charge.”

Facebook parent Meta fires workers who allegedly accepted bribes to take over accounts

The employees and contractors — more than two dozen in all — were fired over the last year amid a long internal investigation at Meta, the Wall Street Journal’s Kirsten Grind and Robert McMillan report. Some workers at Meta allegedly accepted bribes from hackers who wanted access to accounts, they report.

“Some of those fired were contractors who worked as security guards stationed at Meta facilities and were given access to the Facebook parent’s internal mechanism for employees to help users having trouble with their accounts,” they write, citing documents and people familiar with the matter. “The mechanism, known internally as ‘Oops,’ has existed since Facebook’s early years as a means for employees to help users they know who have forgotten their passwords or emails, or had their accounts taken over by hackers,” they write.

Meta spokesman Andy Stone told the Wall Street Journal that “individuals selling fraudulent services are always targeting online platforms, including ours, and adapting their tactics in response to the detection methods that are commonly used across the industry,” adding that Meta “will keep taking appropriate action against those involved in these kinds of schemes.”

Dozens of state AGs ask FTC to consider stronger data security rules

A bipartisan group of 33 state attorneys general told the Federal Trade Commission that private firms’ practices of collection of location data, biometric data and medical data poses risks to consumers, and that the FTC should look to some states that require that businesses limit the personal data that they collect. The attorneys general wrote that they’re “concerned about the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized.”

The letter came in the final days before an agency deadline for comments on an advance notice of proposed rulemaking for commercial surveillance and data security rules.

Google wins Russian botnet hack suit and attorney sanctions (Law360)

Amazon poaches top National Cyber Security Centre exec Levy (Sky News)

Texas signals potential changes to cybersecurity policies (StateScoop)

  • Elizabeth Kolmstetter is joining the Cybersecurity and Infrastructure Security Agency as its first chief people officer. Kolmstetter previously led NASA’s workforce engagement division.
  • Doreen Bogdan-Martin, the newly elected secretary general of the International Telecommunication Union, and National Archives and Records Administration innovation chief Pamela Wright speak at an American University event today at 8:30 a.m.

Thanks for reading. See you next week.