A newsletter briefing on cybersecurity news and policy.
with research by McKenzie Beard
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! Noooooooo. Please don’t combine one of my favorite things, the octopus, with one of my least favorite things, robots doing things I don’t want them to do.
Below: Ukraine warns about forthcoming Russian cyberattacks, while the Biden administration and TikTok approach a possible security-related deal. But first:
The United States ranks 16th on the World Happiness list, last place on health-care systems among 11 high-income countries and 129th on the Global Peace Index. But there’s one area where it’s still No. 1: cyber power.
That’s according to the second edition of the National Cyber Power Index out today, part of the Cyber Project within the Harvard Kennedy School Belfer Center.
The index makes its return after its inaugural edition in 2020. While No. 1 and No. 2 are the same as before — the United States and China — Russia has moved into the top three, and several nations have rocketed up the list, like Iran, Ukraine, Vietnam and South Korea.
The list ranks 30 nations across a range of factors, including offense and defense. It seeks to measure capabilities in eight objectives, like foreign intelligence collection or ability to destroy rivals’ infrastructure. Those that rank highly on the list demonstrate both capabilities with cyber power and the willingness to use it.
“Trying to apply outside data and indicators to parse this out, I think is an important endeavor,” Lauren Zabierek, executive director of the Cyber Project, told me. “Because how else do you even start the conversation and try to develop that understanding?”
One goal of the list is to look beyond the nations that most commonly emerge in conversations about cyber: the United States, China, Russia, Iran and North Korea. North Korea doesn’t even crack the index’s top 10, which is populated by a fair number of “not the usual suspects,” like France or the Netherlands.
That full top 10 is, in order: the United States, China, Russia, United Kingdom, Australia, Netherlands, South Korea, Vietnam, France and Iran.
Ukraine has demonstrated its defensive capabilities since the Russian war, for instance, and Iran has gotten more aggressive about using cyber for financial purposes.
While North Korea ranks only 14th, it’s well above other countries in that financial category.
The United States, meanwhile, ranks highly in almost every category, especially its destructive capabilities and in using cyber to gather intelligence.
The International Institute for Strategic Studies (IISS) assembled its own cyber power rankings last year, using a different method and system, but still concluding that in cyberspace, the United States is in a tier of its own.
Both ranking systems have drawn questions about their methodologies, but some have even asked whether they provide any value at all.
“The rankings themselves raise questions as to their value regardless of the methodology used, as trying to assess cyber power quantitatively and qualitatively is purely a subjective exercise,” Emilio Iasiello, a cyber pro and former Defense Intelligence Agency intel officer, wrote last year about the IISS list. “Quantifying amorphous issue-areas like cyber dependence and empowerment, global influence in governance (no headway has been made by anyone), the existence of a strategy and more importantly, military doctrine (often not publicly available), is more art than science.”
The authors of today’s report — Julia Voo, Irfan Hemani and Daniel Cassidy — acknowledge some limitations of the exercise.
“Due to the sensitivities of some aspects of cyber power, particularly destructive, defensive and espionage capabilities and their reliance on domestic national security structures, states may deliberately be shielding their intent and capabilities from public knowledge for strategic purposes,” they write.
But “just because something is hard doesn’t mean we shouldn’t try,” Zabierek said.
“We know the shortcomings of the index … but we stand by that this is better than nothing,” she said. “We know that we’re only starting to witness these important conversations on cyber power, and we know they will spark debate, which we are proud of.”
Citing the specter of widespread voter fraud, Republicans across the country are embracing an aggressive tactic to bulk up state agencies’ power and resources to investigate election crimes ahead of the midterms this November, our colleagues Beth Reinhard and Yvonne Wingett Sanchez report.
But a Washington Post examination of an earlier endeavor in Arizona to sniff out fraud found it has prosecuted just 20 cases in the last three years, despite having received thousands of election-related complaints.
Rather than reassure citizens about the strength of the local voting systems, The Post’s review found that the state’s election crimes unit fueled more bogus theories and distrust while sapping valuable government resources — an example of the dangerous consequences that can emerge when public officials use their power to reinforce false claims that voter fraud is a significant issue in American elections.
The Ukrainian military intelligence service is warning that Russia is planning “massive cyberattacks” targeting the critical infrastructure of Ukraine and its closest allies, specifically Poland and the Baltic state, Cyberscoop’s AJ Vicens reports.
Ukraine’s Defense Intelligence agency expects the incoming wave of cyberattacks to be focused initially on the country’s energy sector, with the goal of blunting the Ukrainian army’s ongoing offensive and increasing the destructive effects of missile strikes against the country’s energy supply facilities, the agency said in a statement posted to a government website.
“The experience of cyberattacks on Ukraine’s energy systems in 2015 and 2016 will be used when conducting operations,” the advisory warned, alluding to two infamous Kremlin-backed assaults on the country’s power grid that left Ukrainians without heat or electricity in the middle of winter.
The announcement comes as researchers from Google have begun raising alarm bells about a growing body of evidence that suggests pro-Russian hackers and online activists are coordinating with the country’s military intelligence agency, the Wall Street Journal’s Robert McMillan and Dustin Volz reported recently.
But the Ukrainian announcement puzzled some in the cybersecurity world over its lack of specifics.
The Biden administration and TikTok are hammering out the details of a preliminary agreement that would let the video-sharing platform continue operating in the United States without requiring its owner, the Chinese internet giant ByteDance, to sell it, told the New York Times.
The deal is still in flux, but people familiar with the foundations of the agreement said it would require the company to take action in three key areas:
Next steps: High-ranking officials from the Justice Department, which is leading negotiations with the company, and the Treasury Department have criticized the current draft as not tough enough on China or doing enough to address the administration’s national security concerns. That, coupled with the impending midterm elections, could force changes to the terms and prolong a final resolution to the issue for months.
The Times story arrived the same day that the United Kingdom raised the prospect of a $29 million fine for a possible breach of a data protection law.
The Federal Communications Commission voted 4-0 Friday to approve a proposal to limit spam texts, Margaret Harden McGill reports for Axios.
“The American people are fed up with scam texts, and we need to use every tool we have to do something about it,” said chairwoman Jessica Rosenworcel.
This is just one step in the life of the regulations. The approved proposal, awaiting a vote for nearly a year, seeks comment from cell phone companies about the idea of requiring them to block spam texts from known illegal and fraudulent numbers. It’s a process that could add even more months to the timetable.
And Congress is unlikely to take action to update the pertinent 1991 law, which doesn’t reflect today’s technology. “Politicians themselves want to be able to send these texts without fear of being sued,” Margot Saunders, senior counsel to the National Consumer Law Center, told Axios.
Watchdog dings IRS for vendor security lapses (FCW)
U.S. State Department says Putin could send Snowden to war (the Daily Beast)
How ‘China coup’ tweets went viral, and what it says about the rapid spread of disinformation (CyberScoop)
Viasat hack “did not” have huge impact on Ukrainian military communications, official says (Zero Day)
Cyberattack on InterContinental Hotels disrupts business at franchisees (the Wall Street Journal)
US arm of Israeli defense giant Elbit Systems says it was hacked (TechCrunch)
The only people now afraid of the Russian military are Russian men of military age.
Thanks for reading. See you tomorrow.
‘This too shall pass away’ this famous Persian adage seems to be defeating us again and again in the case of COVID-19. Despite every effort