Tag: Cyber Security

Categories
Writing

Cybercrime, Advanced Persistent Threats, and Human-Centric Security

RUSI has published a compelling essay arguing that policy makers and threat intelligence groups should focus more time and attention towards the activities of cyber criminals.

Contemporary cyber criminals:

  • have many operational characteristics that parallel those of nation-state supported advanced persistent threats
  • are quickly innovating and developing new exploit processes and chains in reaction to market developments, and
  • have a real and significant impact on the lives of people around the world.

Moreover, criminals are increasingly targeting critical infrastructure, an activity-type which has characteristically been associated with nation-state supported organizations.

While it’s left unstated in the essay, Larson is also implicitly is calling for a focus on human-centric security practices. Such a focus would see policy makers and cyber practitioners work to more actively stymie the worst harms felt by individuals and communities affected by cyber operations or incidents. Such a focus might, also, see countries or organizations shift resources away from impeding nation-state supported threat actors and towards law enforcement agencies and cybersecurity bodies or, alternately, see national governments update operational guidance to prioritize targeting cyber criminals’ organizations or infrastructure using offensive cyber capacities.

Categories
Links

New Russian APT Daisy-Chain Capability Revealed

In an impressive operation, a Russian APT reportedly targeted a Washington, DC network after daisy chaining through a sequence of neighbouring networks and devices in 2022. The trick: they may have done so without ever using any local operatives.

This is a movie-like kind of operation and speaks to the immense challenges in defending against very well resourced, motivated, and entrepreneurial adversaries.

Wired has a good and accessible article on the cyber activity. The full report is available at Volexity’s website; it’s well worth the read, if only to appreciate the tradecraft of the adversaries as well as Veloxity’s own acumen.

Categories
Writing

Intelligence Commissioner Raises Concerns About Canada’s Federal Cybersecurity Legislation

Earlier this week the Intelligence Commissioner (IC) appeared at the Standing Senate Committee on National Security, Defence and Veterans Affairs on Bill C-26, along with federal Privacy Commissioner. The bill is intended to enhance the cybersecurity requirements that critical infrastructure providers must adopt.

The IC’s remarks are now public. He made four very notable comments in his opening remarks:

  1. The IC warned that the proposed amendments to the Telecom Act would allow the minister to essentially compel the production of any information in support of orders. This information could include personal information – which under broad exceptions, could then be widely disclosed.
  2. Part 2 allows for the regulators to carry out the equivalent of unwarranted searches – where again, personal information could be collected.
  3. The CSE will play a vital role and will be the holder of this information, in a technological form or otherwise, which will contain elements for which we have a reasonable expectation of privacy.
  4. In light of the invasive nature of the Bill, he asserted that it is important that meaningful safeguards be part of the legislation so that Canadians have confidence in the cybersecurity system.

His responses to comments at committee — not yet available through Hansard — made even more clear that he believed that amendments are needed to integrate appropriate oversight and accountability measures into the legislation. The IC’s comments, combined with those of the federal Privacy Commissioner of Canada and civil society representatives, constitute a clear warning to senators about the potential implications of the legislation.

It will be interesting to see how they respond.

Categories
Links Writing

Encryption Use Hits a New Height in Canada

In a continuing demonstration of the importance of strong and privacy-protective communications, the federal Foreign Interference Commission has created a Signal account to receive confidential information.

Encrypted Messaging
For those who may feel more comfortable providing information to the Commission using encrypted means, they may do so through the Signal – Private Messenger app. Those who already have a Signal account can contact the Commission using our username below. Others will have to first download the app and set up an account before they can communicate with the Commission.

The Commission’s Signal Username is signal_pifi_epie20.24

Signal users can also scan QR Code below for the Commission’s username:

The Commission has put strict measures in place to protect the confidentiality of any information provided through this Signal account.

Not so long ago, the Government of Canada was arguing for an irresponsible encryption policy that included the ability to backdoor end-to-end encryption. It’s hard to overstate the significance of a government body now explicitly adopting Signal.

Categories
Aside Writing

2024.6.27

For the past many months I’ve had the joy of working with, and learning from, a truly terrific set of colleagues. One of the files we’ve handled has been around law reform in Ontario and specifically Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act.

Our organization’s submission focuses on ways to further improve the legislation by way of offering 28 recommendations that apply to Schedule 1 (concerning cybersecurity, artificial intelligence, and technologies affecting individuals under the age of 18) and Schedule 2 (amendments to FIPPA). Broadly, our recommendations concern the levels of accountability, transparency, and oversight that are needed in a rapidly changing world.

Categories
Aside

2024.3.18

It is exceptionally rewarding to see years of research and advocacy while I was at my former employer lead to significant reforms to legislation The effect, thus far, has been to protect residents of Canada from cyber-related threats while, also, imposing checks on otherwise unfettered government power and simultaneously protecting all residents of Canada’s privacy.

Categories
Links Writing

Near-Term Threats Posed by Emergent AI Technologies

A cyberpunk image of a series of hackers that represent the 1970s, the 1980s, the 1990s, the 2000s, and the 2050s.

In January, the UK’s National Cyber Security Centre (NCSC) published its assessment of the near-term impact of AI with regards to cyber threats. The whole assessment is worth reading for its clarity and brevity in identifying different ways that AI technologies will be used by high-capacity state actors, by other state and well resourced criminal and mercenary actors, and by comparatively low-skill actors.

A few items which caught my eye:

  • More sophisticated uses of AI in cyber operations are highly likely to be restricted to threat actors with access to quality training data, significant expertise (in both AI and cyber), and resources. More advanced uses are unlikely to be realised before 2025.
  • AI will almost certainly make cyber operations more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.
  • AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.
  • Cyber resilience challenges will become more acute as the technology develops. To 2025, GenAI and large language models will make it difficult for everyone, regardless of their level of cyber security understanding, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing or social engineering attempts.

There are more insights, such as the value of training data held by high capacity actors and the likelihood that low skill actors will see significant upskilling over the next 18 months due to the availability of AI technologies.

The potential to assess information more quickly may have particularly notable impacts in the national security space, enable more effective corporate espionage operations, as well as enhance cyber criminal activities. In all cases, the ability to assess and query volumes of information at speed and scale will let threat actors extract value from information more efficiently than today.

The fact that the same technologies may enable lower-skilled actors to undertake wider ransomware operations, where it will be challenging to distinguish legitimate versus illegitimate security-related emails, also speaks to the desperate need for organizations to transition to higher-security solutions, including multiple factor authentication or passkeys.

Categories
Links Writing

The Near-Term Impact of AI Technologies and Cyber Threats

In January, the UK’s National Cyber Security Centre (NCSC) published its assessment of the near-term impact of AI with regards to cyber threats. The whole assessment is worth reading for its clarity and brevity in identifying different ways that AI technologies will be used by high-capacity state actors, by other state and well resourced criminal and mercenary actors, and by comparatively low-skill actors.

A few items which caught my eye:

  • More sophisticated uses of AI in cyber operations are highly likely to be restricted to threat actors with access to quality training data, significant expertise (in both AI and cyber), and resources. More advanced uses are unlikely to be realised before 2025.
  • AI will almost certainly make cyber operations more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.
  • AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.
  • Cyber resilience challenges will become more acute as the technology develops. To 2025, GenAI and large language models will make it difficult for everyone, regardless of their level of cyber security understanding, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing or social engineering attempts.

There are more insights, such as the value of training data held by high capacity actors and the likelihood that low skill actors will see significant upskilling over the next 18 months due to the availability of AI technologies.

The potential to assess information more quickly may have particularly notable impacts in the national security space, enable more effective corporate espionage operations, as well as enhance cyber criminal activities. In all cases, the ability to assess and query volumes of information at speed and scale will let threat actors extract value from information more efficiently than today.

The fact that the same technologies may enable lower-skilled actors to undertake wider ransomware operations, where it will be challenging to distinguish legitimate versus illegitimate security-related emails, also speaks to the desperate need for organizations to transition to higher-security solutions, including multiple factor authentication or passkeys.

Categories
Links

Pulling Back the Curtain on the Appin Cyber Mercenary Organization

Curious about what “cyber mercenaries” do? How they operate and facilitate targeting?

This excellent long-form piece from Reuters exquisitely details the history of Appin, an Indian cyber mercenary outfit, and confirms and publicly reveals many of the operations that it has undertaken.

As an aside, the sourcing in this article is particularly impressive, which is to expected from Satter et al. They keep showing they’re amongst the best in the business!

Moreover, the sidenote concerning the NSA’s awareness of the company, and why, is notable in its own right. The authors write,

The National Security Agency (NSA), which spies on foreigners for the U.S. government, began surveilling the company after watching it hack “high value” Pakistani officials around 2009, one of the sources said. An NSA spokesperson declined to comment.

This showcases that Appin may either have been seen as a source of fourth-party collection (i.e. where an intelligence service takes the collection material, as another service is themselves collecting it from a target) or have endangered the NSA’s own collection or targeting activities, on the basis that Appin could provoke targets to assume heightened cybersecurity practices or otherwise cause them to behave in ways that interfered with the NSA’s own operations.

Categories
Links

Russian Cyber Doctrine and Its Implementation

Photo by Mati Mango on Pexels.com

While the following might be a bit bellicose it, at the same time, has a ring of truth to it.

Using a foreign country’s military doctrine to reframe fuck-ups as successes — here, that the Russians’ real operations have had the intended effects — boils down to doing a GRU colonel’s work for him; placating Gerasimov about whether or not the O6’s department has contributed to winning the war, among other things.

The Russian government and its various agencies have been incredibly active in attempting to influence or affect the ability of the Ukrainian government to resist the illegal Russian invasion of its territory. But at the same time there has been a back and forth about the successes or failures of Russia in largely academic or public policy circles. In at least some cases, these arguments seem to argue for the successes of the Russian doctrine without sufficient evidence to maintain the position.

Notwithstanding the value of some of those debates it’s nice to see a line of critique that is more attentive to the structure of institutions and what often drives them, with the affect of broadening the rationales and explanations for the (un)successful efforts in the cyber domain by Russian forces.