LogoLogo

Podcasts

Newsletters

Videos

People

About

Search

Seriously Risky Business Newsletter

December 19, 2024

Two Hats Are Better Than Two Heads

Written by

Tom Uren
Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. 

Note: this is the last edition of Seriously Risky Business for 2024 and we'll be back in February 2025. Happy holidays everyone!

You can hear a podcast discussion of this newsletter by searching for "Risky Bulletin" in your podcatcher or subscribing via this RSS feed .

Too many hats, Stability AI

Planned changes to the leadership of US Cyber Command (CYBERCOM) and the National Security Agency (NSA) will prioritise short-term cyber disruption operations at the expense of longer-term intelligence collection. 

The incoming Trump administration plans to end the current 'dual-hat' arrangement whereby both organisations are led by a single officer, according to The Record . The article says the proposal is in its early stages but there aren't any major impediments to the change. Essentially, it only requires that both the Secretary of Defense and the Chairman of the Joint Chiefs certify that the change wouldn't pose an 'unacceptable risk to the military effectiveness' of CYBERCOM. 

The change has been proposed before. President Obama supported a split way back in 2017 , and it was again pushed just before the end of President Trump's first term. On that occasion, the plan was killed by then-chairman of the Joint Chiefs, General Mark Milley. 

The Record notes "some insiders believe Cyber Command sucks resources from NSA", and it is our understanding at Risky Biz HQ that, from a purely practical point of view, CYBERCOM does not currently have the resources it would need to operate entirely independently of NSA. 

In addition to current on-the-ground practicalities, a more enduring issue the proposal raises is that CYBERCOM and NSA’s goals are different and, at least to some extent, incompatible. 

NSA prioritises intelligence-gathering and would like to operate stealthily to avoid being caught and having its capabilities discovered and 'burnt'. 

CYBERCOM relies on this intelligence gathering but also has a mandate to undertake disruptive cyber operations intended to harm adversaries and are therefore more likely to be noticed.

So, while a successful cyber espionage operation is never discovered and burnt, even a successful CYBERCOM action will sometimes cost intelligence as targets discover they've been hit and adapt to or mitigate the tools and techniques that were used against them.  

The current dual-hat structure means a single person in charge of both organisations can weigh competing intelligence and disruption options. Is the national security benefit from disrupting a particular target in a particular circumstance worth the risk to intelligence capabilities?

US lawmakers understand these tradeoffs and General Timothy Haugh, now the head of NSA and CYBERCOM was asked specifically about them during his Senate confirmation hearings in July last year. In response Haugh wrote : 

This is perhaps the most critical advantage of the dual hat – a single decision maker, responsible and accountable for the mission outcomes of both organisations, is best equipped to protect critical intelligence equities [ie NSA investment in intelligence capabilities] while executing national priorities, as directed. It ensures fully informed tradeoff decisions are made under accountability to both the Secretary of Defense and Director of National Intelligence.

When asked specifically about accesses (sources of intelligence) developed by NSA being used and burnt by CYBERCOM, Haugh responded:

As a result of the overlap of the signals intelligence and cyber operations environments, NSA and USCYBERCOM have developed a close partnership in this area. Under the current leadership arrangement, a single, fully informed decision maker, responsible for the separate and distinct mission outcomes of both organizations, is able to protect our nation's most sensitive signals intelligence equities while operating in defense of national interests and ensuring both organisations are aligned with the nation's priorities. If confirmed, I will continue to utilise and improve processes for identifying and evaluating the sharing of accesses, where appropriate, from NSA to USCYBERCOM, from USCYBERCOM to NSA, and with other key partners, to deliver the best outcomes for the nation.

The Record points out that removing the dual-hat arrangement would reshape the relationship between the two organisations:

… Cyber Command requires a four-star officer to lead it as it's one of the Pentagon's 11 combatant commands. The NSA, as a "combat support agency," needs only a three-star chief. Eliminating the dual-hat essentially would allow the military’s organization responsible for carrying out offensive cyber operations against adversaries overseas to outrank the U.S. government's top electronic spy agency.

Done right, cyber disruption operations can be effective but tend to have impacts that are short-lived and limited to days or weeks. Intelligence operations tend not to have the same immediate impact, but are force multipliers because they inform the smart application of other instruments of national power . This results in potentially huge, but longer-term and less visible impact. 

We agree with Haugh's argument that a single decision-maker is best placed to weigh up these decisions. 

However, if the dual-hat arrangement is ended, these decisions still need to be made on a case by case basis and not according to a hierarchy that places military disruption ahead of intelligence collection every time. That is the challenge that any system—one hat, two hats or a rodeo of Stetsons—needs to address. 

Corpo-Drivel Swamps SEC Disclosures 

Cyber security-related regulations adopted a year ago by the US Securities and Exchange Commission (SEC) have mostly failed to achieve their stated purpose, according to a report from the incident response firm BreachRx. 

The rules, which came into effect on 18 December last year, required that companies disclose material cyber security incidents and provide yearly reports describing how they were managing their cyber security risks. The intent of these regulations was to make more actionable information about these risks and incidents available to investors. 

BreachRx analysed nearly a year's worth of cyber security-related SEC filings and found that companies are often reporting meaningless drivel that doesn't usefully inform the market.

When it comes to disclosure of material cyber security incidents, only three companies got it right and lodged the appropriate paperwork (item 1.05 on Form 8-K) once they'd determined that a material incident had occurred. The majority of companies filed these forms to ward off potential SEC action, even before determining whether an incident was material. Forty seven companies filed 71 8-K forms, but only 11 of the filings identified material impact. Over half of these filings were boilerplate statements: 'there was unauthorised activity; we are taking steps to contain, assess and remediate the incident; we have not determined if the incident will have a material impact'. That's as useful as a one-legged man in an arse-kicking contest. 

The annual disclosures covering firms’ cyber risk management approaches weren't much better. BreachRx analysed 418 disclosures and says the "majority described their cyber risks and incident response and disclosure procedures in nearly identical and generic terms " [emphasis in original]. Only 19% described incident response plans and processes and only 2% or 10 companies explicitly cited cyber security risk experience on Boards.

There is evidence that increased transparency improves incentives for companies to act on cyber security risks, so we think the answer to too much drivel is that the SEC should invest more in educating companies about what good disclosure looks like. 

How WhatsApp Became an Everything App

Rest of World has published a fantastic series of articles about the creation of WhatsApp and its incorporation into Meta, its rise as a cultural force around the world, and its use for emergency communications in crisis and conflict areas. 

The app's usefulness in conflict areas stems in parts from its early goals. Rest of World's first article describes "reliable messaging for everyone, everywhere" as its business strategy:  

Working out of an unmarked, converted garage in Mountain View, California, the engineering team was laser-focused on ensuring speed and reliability — whether a user was messaging from the latest iPhone in a major American city, or BlackBerrys and Nokia feature phones operating in the most remote places. "We were trying to hit every user, everywhere, on every platform," Chris Peiffer, one of WhatsApp's first hires and who worked at Stanford University with Koum, told Rest of World . He recalled hiking to a cellular dead zone in the hills near Mountain View with a Nokia C3 to test WhatsApp’s durability with limited bandwidth.

The third Rest of World article says that in conflict zones, "the app's compression algorithm, which in part allows it to function in areas with poor connectivity, makes it particularly useful". It describes a journalist in Gaza connecting to the outer edges of Egyptian or Israeli networks:

She climbed to exposed and dangerous high points in search of a phone signal. The connection was typically too weak to connect for email, but WhatsApp functioned. Thanks to WhatsApp's compression algorithms, she was able to send voice notes, videos, and documents to her colleagues in London. 

However, it's not all good news. WhatsApp can also be used to inflame tensions and incite violence. In South Sudan it has been used to plan and coordinate attacks and ambushes and WhatsApp groups have been connected with revenge killings in Somalia. 

For compelling insights into how a service with a simple initial objective has enabled far-reaching social change, the series is well worth reading. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. Android tracker alerts: Google has announced new features in Android that will protect users from unwanted bluetooth tracking. One feature provides automatic notifications to users if an unfamiliar bluetooth tracker is moving with their device and (if the tracker is compatible with Google's Find My Device) can be used to pinpoint the tracker's location. 
  2. 792 online scammers arrested : Nigerian authorities arrested 792(!) people suspected of being involved in online investment or romance scams. The suspects operated from a seven-story building in Lagos. 
  3. Using lawsuits to improve security: Ars Technica reports on whistleblowers using the United States' False Claims Act to earn big paydays by suing companies that are not meeting security obligations spelled out in federal government contracts. Encouraging these lawsuits is a deliberate government strategy to discourage negligent security practices.   

Shorts

EU Will Investigate TikTok Over Romanian Election Interference

The European Union has announced a formal investigation into TikTok over its handling of content related to the first round of voting in the recent Romanian presidential election. We described this alleged interference in last week's edition . 

European Commission President Ursula von der Leyen said "Following serious indications that foreign actors interfered in the Romanian presidential elections by using TikTok, we are now thoroughly investigating whether TikTok has violated the Digital Services Act by failing to tackle such risks".  

Although this is a huge deal, it's not the most immediate threat that TikTok has to deal with. TikTok CEO Shou Zi Chew met with President-elect Donald Trump this week as the company tries to head off a law that will force Chinese parent company ByteDance to sell the platform or face a ban in the United States. 

EU Sanctions for Russian Shenanigans

The European Council has announced sanctions against 16 individuals involved in 'Russia's destabilising hybrid activities. 

The sanctions target people involved in Russian propaganda as well as several GRU (Russian military intelligence) officers, among others. The Record has further coverage . 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about the evolution of Russian cyber operations during its invasion of Ukraine. 

Or watch it on YouTube! 

From Risky Biz News :

CISA sent 2,100+ pre-ransomware alerts this year: The US Cybersecurity and Infrastructure Security Agency has sent out 2,131 pre-ransomware activity notifications to US organizations throughout the year.

The notifications were sent via a program named the Pre-Ransomware Notification Initiative (PRNI), which CISA launched in March of 2023.

The program uses tips received from the private sector to detect early ransomware activity and notify potential targets before their data is stolen or encrypted.

[ more on Risky Business News ]

Germany's BSI sinkholes BADBOX malware traffic: Germany's cybersecurity agency has sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group.

The malware was first spotted in October of last year by Human Security, a company specialized in detecting advertising fraud.

The BADBOX group assembled a botnet of over 280,000 systems by hiding its malware in malicious Android and iOS apps and inside the firmware of Android TV streaming boxes.

Human Security said the BADBOX group operated out of China and most likely had access to hardware supply chains where its members could deploy the malicious firmware on streaming boxes.

[ more on Risky Business News ]

Secret ransomware campaign targeted DrayTek routers for a year: Threat actors have secretly abused a suspected zero-day in DrayTek routers since August of last year to hack devices, steal passwords, and then deploy ransomware on connected networks.

According to a joint report from Forescout and PRODAFT , the attacks were carried out by a threat actor known as Monstrous Mantis—believed to be linked to the Ragnar Locker ransomware group.

The attacker used the zero-day to extract and crack the passwords of DrayTek Vigor routers and then hand out the credentials to selected collaborators.

[ more on Risky Business News , including more on the groups collaborating with Monstrous Mantis to deploy ransomware]

Recent Newsletters

  • Two Hats Are Better Than Two Heads
  • Risky Bulletin: CISA sent 2,100+ pre-ransomware alerts this year
  • Risky Bulletin: Secret ransomware campaign targeted DrayTek routers for a year
  • Risky Bulletin: Germany's BSI sinkholes BADBOX malware traffic
  • FCC to Demand Telcos Improve Security

Recent Videos

  • Srsly Risky Biz: Why two hats are better than two heads
  • Risky Business Weekly (775): Cl0p is back, SEC hack disclosures disappoint
  • Between Two Nerds: How Russian cyber operations in Ukraine have evolved
  • Wide World of Cyber: SentinelOne's Chris Krebs on Chinese cyber operations
  • Product Demo: Proofpoint's Adaptive Email Security and Adaptive DLP

Recent Podcasts

  • Srsly Risky Biz: Why two hats are better than two heads
  • Risky Business #775 -- Cl0p is back, SEC hack disclosures disappoint
  • Risky Bulletin: Cl0p returns
  • Between Two Nerds: The evolution of Russia's cyber operations in Ukraine
  • Risky Bulletin: Secret ransomware campaign targeted DrayTek routers for a year

© Risky Business 2007-2024.