Technology Enthusiast

The Atlantic Council released a detailed commentary on the White House’s new “Implementation Plan for the 2023 US National Cybersecurity Strategy.” Lots of interesting bits. So far, at least three trends emerge: First, the plan contains a (somewhat) more concrete list of actions than its parent strategy, with useful delineation of lead and supporting agencies, as well as timelines aplenty. By assigning each action a designated lead and timeline, and by including a new nominal section (6) focused entirely on assessing effectiveness and continued iteration, the ONCD suggests that this is not so much a standalone text as the framework for an annual, crucially iterative policy process. That many of the milestones are still hazy might be less important than the commitment. the administration has made to revisit this plan annually, allowing the ONCD team to leverage their unique combination of topical depth and budgetary review authority. Second, there are clear wins. Open-source software (OSS) and support for energy-sector cybersecurity receive considerable focus, and there is a greater budgetary push on both technology modernization and cybersecurity research. But there are missed opportunities as well. Many of the strategy’s most difficult and revolutionary goals—­holding data stewards accountable through privacy legislation, finally implementing a working digital identity solution, patching gaps in regulatory frameworks for cloud risk, and implementing a regime for software cybersecurity liability—­have been pared down or omitted entirely. There is an unnerving absence of “incentive-shifting-focused” actions, one of the most significant overarching objectives from the initial strategy. This backpedaling may be the result of a new appreciation for a deadlocked Congress and the precarious present for the administrative state, but it falls short of the original strategy’s vision and risks making no progress against its most ambitious goals. Third, many of the implementation plan’s goals have timelines stretching into 2025. The disruption of a transition, be it to a second term for the current administration or the first term of another, will be difficult to manage under the best of circumstances. This leaves still more of the boldest ideas in this plan in jeopardy and raises questions about how best to prioritize, or accelerate, among those listed here.

Source: Commentary on the Implementation Plan for the 2023 US National Cybersecurity Strategy

This list was created by Chris Titus. Interesting how he has these grouped.

Source: Fast machines, slow machines – Julio Merino (jmmv.dev)

No protection without surveillance?

Source: FBI: FISA Section 702 ‘absolutely critical’ • The Register

In 2013 and 2014, I wrote extensively about new revelations regarding NSA surveillance based on the documents provided by Edward Snowden. But I had a more personal involvement as well. I wrote the essay below in September 2013. The New Yorker agreed to publish it, but the Guardian asked me not to. It was scared of UK law enforcement, and worried that this essay would reflect badly on it. And given that the UK police would raid its offices in July 2014, it had legitimate cause to be worried. Now, ten years later, I offer this as a time capsule of what those early months of Snowden were like. It’s a surreal experience, paging through hundreds of top-secret NSA documents. You’re peering into a forbidden world: strange, confusing, and fascinating all at the same time. I had flown down to Rio de Janeiro in late August at the request of Glenn Greenwald. He had been working on the Edward Snowden archive for a couple of months, and had a pile of more technical documents that he wanted help interpreting. According to Greenwald, Snowden also thought that bringing me down was a good idea. It made sense. I didn’t know either of them, but I have been writing about cryptography, security, and privacy for decades. I could decipher some of the technical language that Greenwald had difficulty with, and understand the context and importance of various document. And I have long been publicly critical of the NSA’s eavesdropping capabilities. My knowledge and expertise could help figure out which stories needed to be reported. I thought about it a lot before agreeing. This was before David Miranda, Greenwald’s partner, was detained at Heathrow airport by the UK authorities; but even without that, I knew there was a risk. I fly a lot—a quarter of a million miles per year—and being put on a TSA list, or being detained at the US border and having my electronics confiscated, would be a major problem. So would the FBI breaking into my home and seizing my personal electronics. But in the end, that made me more determined to do it. I did spend some time on the phone with the attorneys recommended to me by the ACLU and the EFF. And I talked about it with my partner, especially when Miranda was detained three days before my departure. Both Greenwald and his employer, the Guardian, are careful about whom they show the documents to. They publish only those portions essential to getting the story out. It was important to them that I be a co-author, not a source. I didn’t follow the legal reasoning, but the point is that the Guardian doesn’t want to leak the documents to random people. It will, however, write stories in the public interest, and I would be allowed to review the documents as part of that process. So after a Skype conversation with someone at the Guardian, I signed a letter of engagement. And then I flew to Brazil. I saw only a tiny slice of the documents, and most of what I saw was surprisingly banal. The concerns of the top-secret world are largely tactical: system upgrades, operational problems owing to weather, delays because of work backlogs, and so on. I paged through weekly reports, presentation slides from status meetings, and general briefings to educate visitors. Management is management, even inside the NSA Reading the documents, I felt as though I were sitting through some of those endless meetings. The meeting presenters try to spice things up. Presentations regularly include intelligence success stories. There were details—what had been found, and how, and where it helped—and sometimes there were attaboys from “customers” who used the intelligence. I’m sure these are intended to remind NSA employees that they’re doing good. It definitely had an effect on me. Those were all things I want the NSA to be doing. There were so many code names. Everything has one: every program, every piece of equipment, every piece of software. Sometimes code names had their own code names. The biggest secrets seem to be the underlying real-world information: which particular company MONEYROCKET is; what software vulnerability EGOTISTICALGIRAFFE—really, I am not making that one up—is; how TURBINE works. Those secrets collectively have

Source: Snowden Ten Years Later

Even amid the cacophony of social media, most journalism is met with a shrug or a murmur. But ​one story the Guardian published 10 years ago today exploded with the force of an earthquake. The article revealed that the US National Security Agency (NSA) was collecting the phone records of millions of Verizon customers. In case anyone doubted the veracity of the claims, we were able to publish the top secret court order handed down by the foreign intelligence surveillance court (Fisa), which granted the US government the right to hold and scrutinise the metadata of millions of phone calls by American citizens. The document was marked TOP SECRET//SI//NOFORN – an extremely high level of classification which meant that it was not to be shared with any foreign governments, far less Guardian journalists or, God forbid, Guardian readers. Who knows the degree of panic that spread through the upper echelons of the US intelligence system as they tried to work out how such a sensitive document had found its way into the public domain. But that will have been nothing to the dawning realisation – in the UK as well as the US – that this was but the tip of a very large and ominous iceberg. Over the following weeks, the Guardian (joined by the Washington Post, New York Times and ProPublica) led the way in publishing dozens more documents disclosing the extent to which US, UK, Australian and other allied governments were building the apparatus for a system of mass surveillance that George Orwell could hardly have dared imagine when he wrote his dystopic novel Nineteen Eighty-Four. Within a few days, the source of the documents, Edward Snowden, unmasked himself on the Guardian website and for weeks thereafter the stories dominated the news around the world. It has since been memorialised in at least three films, stage dramas, books, numerous academic papers … and even an album. It led to multiple court actions in which governments were found to have been in breach of their constitutional and/or legal obligations. It led to a scramble by governments to retrospectively pass legislation sanctioning the activities they had been covertly undertaking. And it has led to a number of stable-door attempts to make sure journalists could never again do what the Guar

Source: Ten years ago, Edward Snowden warned us about state spying. Spare a thought for him, and worry about the future | Alan Rusbridger

All we want is your metadata. Bluffdale has plenty of room for you. Enjoy!

Anythibng is possible these days. Maybe there is use for the Space Force.

A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the “Five Eyes” nations said on Wednesday. The tech giant’s threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name Volt Typhoon. The Attachments:

Source: China’s Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected

Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware. The #StopRansomware Guide serves as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The authoring organizations recommend that entities review this joint guide to prepare and protect their facilities, personnel, and customers from the impacts of ransomware and data exfiltration. For more information and to access the latest resources about how to stop ransomware, please visit stopransomware.gov. This joint guide was developed through the Joint Ransomware Task Force (JRTF), an interagency collaborative effort to reduce the prevalence and impact of ransomware attacks. JRTF was established by Congress in 2022 and is co-chaired by CISA and FBI. For additional information about the JRTF, please visit CISA’s newly launched Joint Ransomware Task Force (JRTF) webpage.

Source: CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF)