| | | | |  | | By Joseph Gedeon | With help from John Sakellariadis
| | — Hackers likely spent years infiltrating a popular and critical open source tool, but an "angry mob of nerds" stopped them in 24 hours — sparking debates in Washington about the future of open source security. HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! It’s been quite a run reporting on cybersecurity, but I’m moving on to a new beat. I’m looking to pull the cover off a groundbreaking new federal agency: the Department of Nap Enforcement. Catch me next on Morning Naps*. Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.
| | | | Access New York bill updates and Congressional activity in areas that matter to you, and use our exclusive insights to see what’s on the Albany agenda. Learn more. | | | | | Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
| | Tempe, Arizona’s chief data and analytics officer Stephanie Deitrick, Montgomery County, Maryland chief information officer Gail Roper and Virginia’s Fairfax County chief technology officer Gregory Scott are joining a virtual discussion on AI in local government with the National Academy of Public Administration. 2 p.m.
| | SHAKEN, NOT SHATTERED — A brazen attempt to inject malicious code into a critical open source software tool is fueling urgent conversations in Washington about fortifying the digital supply chain. But it's also providing a dramatic illustration of the resiliency of the open source community itself, some experts say. John reports on more details about what happened in his reporting here. But let's unpack some lessons learned after the episode was revealed on Friday: — Nation-state suspicions: Investigators say sophisticated hackers likely spent years building credibility before taking control of the widely used Xz data compression utility and attempting to insert tainted code that could enable cyberattacks. The operation bore some hallmarks of a nation-state campaign leveraging human intelligence tactics rarely seen in open source. “I think it’s more likely than not to have been a nation-state,” explained Michael McLaughlin, former counter intelligence at Cyber Command. “That was a very specific work station with a very particular scope.” — Protecting not abandoning: While the breach initially raised fears of a software supply chain nightmare, the rapid detection and response likely averted a worse crisis. "For those of us who believe the open and cooperative nature of open source software makes us more secure, we will point back to this as the most important example proving that," Anjana Rajan, the White House’s assistant national cyber director, tells MC. — A rallying cry: After a suspect GitHub user dubbed "Jia Tan" compromised Xz's controls through an elaborate deception, an "angry mob of nerds" quickly descended on the code, scrutinized every commit and expunged the malware in under 24 hours, according to white hat researcher Marc Rogers. "What it has illustrated is the power of that angry mob of nerds carrying pitchforks and torches," Rogers said of open source's grassroots defense. "I'm confident that this was exercised within a 24-hour window." While the purge was successful, the hack's sophistication and gall was alarming, and will likely spark investigations by the FBI and NSA into potential nation-state involvement, John writes. — Keep watching: Still, the close call is spurring cyber leaders to reexamine the security of the open source ecosystem — where many vital internet utilities are maintained by volunteers with limited resources, creating entryways for skilled threat actors. But rather than abandon the open source ethos, Rajan and others argue the Xz incident shows a path toward strengthening those community-driven processes and funding mechanisms. "We need to have conversations about what we do next to protect open source," Rajan said, "but this wasn't a failure — it was open source's principles at work."
| | HOW PRIVATE IS PRIVATE REALLY? — The latest allegations about Facebook's past surveillance of rivals like Snapchat are raising new privacy and antitrust concerns around Meta's data collection practices. Newly unsealed court documents claim Facebook (before its Meta rebrand) built specialized spyware to intercept and monitor encrypted traffic flows from Snapchat and other competitors between 2016-2019 under a project codenamed "Ghostbusters." — Reading through the suit: The allegations, part of an ongoing antitrust lawsuit against Meta, assert the company's Onavo VPN app was repurposed to conduct a "man-in-the-middle" attack that funneled Snapchat usage data back to Facebook's servers without users' knowledge. The filing includes a 2016 email in which Zuckerberg urged top lieutenants to "figure out a new way to get reliable analytics" on the fast-growing Snapchat, whose encrypted traffic made it difficult to analyze usage patterns. Just days later, the "Ghostbusters" project kicked off – an apparent reference to Snapchat's ghost logo. Plaintiffs allege Facebook's Onavo team built special software to siphon off Snapchat data flows to Facebook servers. — What it could mean: While it didn't access message content, the spying let Facebook peek under Snapchat's hood at valuable user metrics and behavior normally kept under wraps. The tools were also allegedly used against YouTube, Amazon and others. “In the worst case they can not only read the contents of packets but, potentially modify contents allowing for profiles to be built about any connection passing through Onavo,” Zach Kissel, a cryptographer at Merrimack College, tells Morning Cyber. "This stuff seems like it crosses a pretty clear red line, maybe even a criminal one," cryptography professor at Johns Hopkins University cryptography professor Matthew Green wrote on X, blasting the "evil" tactics as a "Trojan horse" that betrayed users who thought Onavo was securing their data. — The rebuttal: Meta spokesperson Christopher Sgro denied wrongdoing, saying the claims were "baseless and completely irrelevant to the case" since Onavo users consented to sharing data. In Meta’s own filing last week, it cited testimony from a Snapchat advertising executive who said Snap could not "identify a single ad sale that [it] lost from Meta's use of user research products," and did not know if Meta gained any competitive advantage. Still, others saw covert surveillance as a bridge too far, even for an industry constantly pushing ethical boundaries in pursuit of profits and competitive intelligence. “The traffic analysis capabilities alone are massive,” Kissel said. “If the U.S. were a country with privacy laws afforded in GDPR, this practice would be a gross violation.”
| | | | SUBSCRIBE TO GLOBAL PLAYBOOK: Don’t miss out on POLITICO’s Global Playbook, the newsletter taking you inside pivotal discussions at the most influential gatherings in the world, including WEF in Davos, Milken Global in Beverly Hills, to UNGA in NYC and many more. Suzanne Lynch delivers the world's elite and influential moments directly to you. Stay in the global loop. SUBSCRIBE NOW. | | | | | | | | | WHO RUNS THE WORLD — The White House put the spotlight on women in cybersecurity with a first-ever global virtual summit on Saturday, convening nearly 800 people from 34 countries to champion career opportunities and highlight underrepresentation in the field. The event aimed to empower the next generation of women in the cyber workforce at a time when they make up just 24 percent of cybersecurity professionals globally, according to White House figures. — Who showed up: National cyber director Harry Coker, deputy national security adviser Anne Neuberger, CISA director Jen Easterly, State Department principal deputy assistant secretary for cyberspace and digital policy Jennifer Bachus, associate chief information officer at the Treasury Department Sarah Nur and others were those among the panel. — A long way to go: While efforts have been made in recent years to diversify the cyber workforce, a report put out in December by the International Information System Security Certification Consortium, or ISC2, found the vast majority of cybersecurity personnel in the U.S., Canada, United Kingdom and Ireland over 40 are white males. In all age demographics measured, women make up less than a quarter of the overall cyber workforce in these nations, according to the report. — New commitments: The event featured panel discussions on career pathways, global opportunities and insights from students pursuing cyber careers. It also highlighted new commitments including:
- The Kyndryl Foundation providing grants to U.S. groups like Girl Security, CodePath and NPower
- Women in Cybersecurity, a nonprofit, pledged to accept more than 1,300 applicants into its cyber upskilling program this year.
“Girls and women — especially from marginalized communities — grew up in a state of fear from childhood; we’re taught to fear everything but we’re secured from nothing,” Girl Security founder Lauren Buitta told MC after the summit. “Girls and women are really good at security and we send that message as part of our program: you have the ability to adapt in any of these technology spaces and to succeed.” | | | | EYES ON NORTH KOREA — The U.S., Japan and South Korea are ratcheting up trilateral efforts to disrupt North Korea's malicious cyber operations used to fund its nuclear weapons and missile programs. At the second meeting of the U.S.-Japan-ROK Trilateral Diplomatic Working Group in Washington on Friday, the three allies reviewed "substantial progress" made in deepening collaboration against Pyongyang's cyber capabilities since the group's inaugural session in Tokyo last December. — The juicy details: The working-level talks were led by U.S. Deputy Special Representative for North Korea Lyn Debevoise, Japanese cyber ambassador Kumagai Naoki and South Korean foreign ministry director general for North Korean nuclear affairs Lee Jun-il. A readout states the three sides coordinated on "a wide range of trilateral actions" including:
- Information sharing on North Korea cyber threats
- Disrupting Pyongyang's global IT worker networks
- Engaging private industry partners
- Developing joint cyber capacity building initiatives
The stepped-up cyber trilat follows the landmark Camp David summit last August, where President Joe Biden, South Korea’s Yoon Suk Yeol and Japan Prime Minister Fumio Kishida committed to a strengthened alliance to counter North Korean aggression across all domains.
— In the mood to steal: From phishing scams to blockchain exploits, DPRK-backed cybercriminals, often operating under the banner of the notorious Lazarus Group, have hauled in an estimated $3 billion in crypto since 2017, according to a November report from Recorded Future. And more than half of that — $1.7 billion — was stolen in 2022 alone.
| | Problem solved. Everyone can retire in peace now.
| 
| | | FACTORY RESET — AT&T reset millions of customer passcodes after a data leak containing encrypted passcodes was found online, Zach Whittaker reports for TechCrunch. BEING SNEAKY — The Biden administration is quietly undermining a bipartisan Senate bill intended to reform and extend a controversial foreign surveillance law, circulating a report that criticizes the proposed legislation, John reports. “The Audacious MGM Hack That Brought Chaos to Las Vegas” (The Wall Street Journal) *If you didn’t click the link (or, you’re just very gullible) APRIL FOOLS: You’re still stuck with me. Chat soon. Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com). | | | | Follow us on Twitter | | | | Follow us | | | | |
