Best Infosec-Related Long Reads of the Week, 6/10/23

Best Infosec-Related Long Reads of the Week, 6/10/23

How Biden's cyber strategy compares to those of previous admins, Biden's game-changing security by design focus, Sec. 702 might not be renewed, India's job scams, Spain's 'sewer rat' ex-spy

Twenty-Five Years of White House Cyber Policies

In Lawfare Blog, Jason Healey, Senior Research Scholar at Columbia University’s School for International and Public Affairs, highlights in this first piece in a two-part series about White House cybersecurity policies how the Biden administration’s National Cybersecurity Strategy (NCS), which he helped draft, compares with similar efforts by earlier administrations.

Real strategic concepts should be simple and short. The U.S. Cold War strategy was a single word (containment). The Army’s counterinsurgency strategy could be encapsulated in a simple phrase (roughly, to win hearts and minds). Moreover, a strategic concept should be expandable, that is, practitioners can take the basic strategic idea and unpack it to develop deeper objectives in line with the established concept. They are also both negatable, so that a critic can argue no, not “hearts and minds” but “kill the insurgents.” Together, these efforts drive priorities, so that the bureaucracy, when faced with competing priorities that improve cybersecurity, can decide which ones to invest in further and which to deprecate.

Past U.S. cyber strategies lacked any such expandible, negatable strategic concept. They have largely been just lists of actions, with little connection and with few ways to prioritize between them. For example, President George W. Bush’s National Strategy to Secure Cyberspace (2003) had three strategic objectives—prevent cyberattacks, reduce national vulnerability, and minimize damage and recovery time—but no guidance about which of the three was more important.

The NCS accordingly breaks new ground by calling for two shifts and a theory of change. The NCS first calls for a shift of the burdens from end users to the “most-capable and best-positioned cyber actors” who are most able to make cybersecurity improvements at scale. More specifically, the strategy aims to shift the responsibility of defending against cyberattacks from small businesses and independent users, for example, onto the federal government. The second shift calls for a change to realign incentives for more long-term investments. In other words, federal resources should be reallocated and directed to getting two marshmallows tomorrow rather than just one today.

The National Cybersecurity Strategy: Breaking a 50-Year Losing Streak

In the second part of Lawfare Blog’s series about White House cybersecurity policies, Jason Healy explains how the Biden Administration’s National Cybersecurity Strategy seeks to upend the 50-year-old belief that attackers always have the advantage by focusing heavily on security by design.

The new strategy tackles head-on the seemingly eternal challenges of security by design, calling for “fundamental changes to the underlying dynamics of the digital ecosystem,” rebalancing “the advantage to its defenders and perpetually frustrating the forces that would threaten it.”

This requires realigning incentives to favor long-term investments, one of the first fundamental shifts in the strategy. When faced with the trade-offs between easy but temporary fixes and durable, long-term solutions, the U.S. government must help ensure that organizations—whether public or private sector—are incentivized to consistently choose the more secure and resilient path. Software companies should no longer be incentivized, for example, to rush insecure products to market, maximizing their profit but inflicting insecurity on everyone else.

The other fundamental shift in the strategy is rebalancing the responsibility to defend cyberspace from those with the least ability to those with the greatest. It is ineffective—and frankly unjust—to expect individuals, small businesses, state and local governments, and others with limited resources to successfully implement cybersecurity.

The strategy essentially calls for the U.S. population to raise its expectations of cyberspace’s most capable actors—specifically the federal government but also the major technology companies—to weave a more defensible cyberspace.

The Coming Fight Over American Surveillance

Elizabeth Goitein, Senior Director of the Brennan Center for Justice’s Liberty and National Security Program, makes the case for why, unlike in years past, shifting politics make it unlikely that Congress will renew Section 702 of the Foreign Intelligence Service Act (FISA), which enables the government to conduct warrantless surveillance of foreigners abroad, sometimes sweeping up Americans in the process.

Since Section 702’s enactment, progressives and libertarians in Congress have expressed concerns over the law and have worked together to try to reform it. But until recently, centrist Democrats and Republicans supported the law. Moreover, the congressional intelligence committees, like the FISA Court, have tended to act as intelligence agencies’ partners rather than their overseers. These committees have exercised their clout to sideline reform efforts.

Over the course of the Trump administration, however, the politics of FISA radically shifted. The Department of Justice’s inspector general issued a report in 2019 with sobering findings: the government’s applications to the FISA Court under Title I of FISA to surveil a Trump campaign aide, Carter Page, were riddled with errors and omissions. A follow-up report showed that similar flaws pervaded Title I surveillance applications in general, suggesting that slipshod submissions to the FISA Court are the norm. Nonetheless, Trump and his supporters in Congress concluded that the Obama administration (which initiated the Page surveillance) abused FISA for political purposes.

Since then, a large faction of Republicans has turned against FISA in all its forms. When a different provision of FISA came up for reauthorization in 2020, Trump fired off a storm of tweets opposing it, and the reauthorization failed. As for Democratic lawmakers, four years under Trump opened their eyes to the importance of meaningful checks on executive power. They also have been alarmed by recent revelations about the frequency of backdoor searches and the FBI’s widespread violations of querying rules, including incidents of spying on racial justice protesters.

Lose money online working from home: Job scams spike in India

Bilal Kuchay in Rest of World delves into online get-rich-scammers exploiting a job crisis in India, luring desperate job seekers into fake work-at-home jobs that have bilked 30,000 people of over $24 million.

In a difficult economic environment, such scam job offers are “a source of great hope” for people, Pavan Duggal, a Supreme Court lawyer specializing in cyberlaw and cybercrime, told Rest of World. “[Such] cybercrime promises that you will likely get your money in the best possible period of time — that you would [otherwise] not be in a position to generate.”

The lack of digital literacy in India compounds the issue, according to Prateek Waghre, policy director at the digital advocacy nonprofit Internet Freedom Foundation. “People aren’t really able to tell the difference between what’s genuine outreach versus what is likely to be a scam,” he told Rest of World.

The Delhi and Gurugram police have identified a set playbook that the scammers follow: They text the victim over WhatsApp, Telegram or other social media platforms; introduce themselves as representatives of a reputed firm; and offer part-time jobs. The victims are then added to Telegram groups and given simple tasks such as liking videos on YouTube, following celebrities on Instagram, rating movies, or buying products on e-commerce sites. The scammers win the victims’ trust by paying back small sums at the start.

The Spy Who Called Me

The New York Times Magazine writer Nicholas Casey tells the story of José Manuel Villarejo Pérez, a former Spanish government spy who traded on that role to secretly make tapes of conversations with Spain’s wealthiest and most influential people, including former King Juan Carlos I, some portions of which were leaked to small websites and the bulk of which Villarejo still uses as leverage over Spain’s power elite.

When people call Villarejo the king of the sewers — el rey de las cloacas — they are referring not to literal sewers but to a shadow state or deep state that, many say, has pulled levers of power in the country since the time of Franco, the nationalist dictator who took power in the same era as Adolf Hitler and Benito Mussolini. But unlike them, he ruled his country until 1975, in a decades-long dictatorship whose ghosts remain easy to spot to this day. Franco’s former mausoleum still overlooks the capital. Spain’s time zone remains an hour off from its original one because Franco changed the clocks to match the hour in Nazi Germany — part of the reason dinner here often begins at 10 p.m.

And then there are the so-called sewers, a network of current and former police chiefs, intelligence officials and military officials — all largely men of Villarejo’s generation who grew up under the dictatorship and still wield power now. It was among this crowd that Villarejo had been dubbed “king.”

I asked him what he thought of that title. He shrugged. “What people don’t understand is that sewers don’t generate the crap, they clean the city, they take the crap away,” he began. “Rome triumphed because it had good sewers.” He told me about a sanctuary in the Roman Forum, the Shrine of Venus Cloacina, built to celebrate the city’s drainage system. “Sure, you go into certain places and you come out smelling bad. But someone has to do this work, and instead of punishing the guy who does this job, we should think about thanking him.”

Read more