Best Infosec-Related Long Reads of the Week, 7/1/23

Fixing the CFAA and cyber staff shortages, ICE pre-crimes with LexisNexis data, Sandworm chief's master thesis, Grocery store spying, Fooling AI tools, Cyber insurance sizing, Balkan cyber crisis

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Schrödinger’s Hacking Law And Cyber Burnout: Capacity Building in U.S. Cybersecurity

In the Council of Foreign Relations Blog, Tarah Wheeler argues that cybersecurity will continue to be a problem until the chronic shortage of qualified professionals is remedied and the problems in the Computer Fraud and Abuse Act, which makes it arguably illegal to learn to be a computer security expert, are fixed.

If policymakers had reacted to watching Jaws [instead of watching Matthew Broderick’s War Games] by banning surfing and leaving enforcement up to prosecutors who’d never learned to swim, you’d have the marine equivalent to the Computer Fraud and Abuse Act. Eventually, you’d end up with no one able to cope with oceanic threats other than those who’d been willing to break the law to brave the waves. Then, imagine that the United States had a severe shortage of Coast Guard applicants who could already swim, fish, survive in hurricanes, and engage in deep sea rescue, and was totally bewildered as to why this shortage existed.

The best cybercrime attorneys in the United States most of the time cannot tell you if you have broken or would break the law by doing something as simple as running an Nmap scan, which is the cyber equivalent of walking down a neighborhood street, noticing from the sidewalk that a neighbor’s door is gaping open even though no one looks to be home, and texting your neighbor to tell them they might have a security issue. This inability to tell if a law is being broken is not only unconstitutional per the Vagueness Doctrine, it is also one of the ways that a profound lack of diversity in cybersecurity manifests, contributing even further to the lack of cybersecurity talent development. The consequences for potentially breaking the CFAA are clearly, tragically far worse if you are a person of color, career failures and missteps are punished far more harshly in women, and it makes sense to more carefully avoid learning offensive techniques if you are likely to face outsized consequences for so doing.

LEXISNEXIS IS SELLING YOUR PERSONAL DATA TO ICE SO IT CAN TRY TO PREDICT CRIMES

The Intercept’s Sam Biddle got a hold of a document that shows that the legal research and public records data broker LexisNexis is providing US Immigration and Customs Enforcement with tools to target people who may potentially commit a crime, arguing that a $16.8 million contract between ICE and LexisNexis is mass surveillance at its core.

“LexisNexis Risk Solutions prides itself on the responsible use of data, and the contract with the Department of Homeland Security encompasses only data allowed for such uses,” said LexisNexis spokesperson Jennifer Richman. She told The Intercept the company’s work with ICE doesn’t violate the law or federal policy, but did not respond to specific questions.

The document reveals that over 11,000 ICE officials, including within the explicitly deportation-oriented Enforcement and Removal Operations branch, were using LexisNexis as of 2021. “This includes supporting all aspects of ICE screening and vetting, lead development, and criminal analysis activities,” the document says.

In practice, this means ICE is using software to “automate” the hunt for suspicious-looking blips in the data, or links between people, places, and property. It is unclear how such blips in the data can be linked to immigration infractions or criminal activity, but the contract’s use of the term “automate” indicates that ICE is to some extent letting computers make consequential conclusions about human activity. The contract further notes that the LexisNexis analysis includes “identifying potentially criminal and fraudulent behavior before crime and fraud can materialize.” (ICE did not respond to a request for comment.)

The man behind the world's most dangerous hacking group

In this not particularly long but illuminating piece, Max Hoppenstedt, Hakan Tanriverdi, Marcel Rosenbach, and Carina Huppertz in Spiegel reveal they got a hold of the master’s thesis by Yevgeny Serebryakov, who heads the notorious Sandworm hackers, which offers a window into his brutal and crude worldview.

Serebryakov's views are widespread in Russia, says IT security expert Dmitri Alperovitch. »There is no distinction between cyber attacks and disinformation. It's all one and the same. The aim is to change the opponent's way of thinking.« Alperovitch says that »immense power« is ascribed to this »weapon«. "That's not true, but they believe it."

Experts from the German IT security company DCSO come to a similar conclusion: Apparently the author wants to make a career move and is therefore repeating what everyone thinks anyway: »Serebryakov keeps saying that you have to unite the whole of society so that they can defend themselves better can. That society has to be controlled and monitored for this.” Russian identity is a battlefield. "If you think this through, you understand how the GRU legitimizes its offensive cyber actions."

Serebryakov's master's thesis is not just a document that reveals his own way of thinking. It also gives an indication of the ideology and narratives that can make things happen in the Russian intelligence apparatus.

Barred From Grocery Stores by Facial Recognition

The New York Times’s Adam Satariano and Kashmir Hill offer a case study of Facial Watch, a facial recognition technology company used by retailers to track shoplifters, as a parable for how these systems are reaching ever farther into people’s lives and are increasing as Western countries grapple with advances brought on by artificial intelligence.

Facewatch, which licenses facial recognition software made by Real Networks and Amazon, is now inside nearly 400 stores across Britain. Trained on millions of pictures and videos, the systems read the biometric information of a face as the person walks into a shop and check it against a database of flagged people.

Facewatch’s watchlist is constantly growing as stores upload photos of shoplifters and problematic customers. Once added, a person remains there for a year before being deleted.

Every time Facewatch’s system identifies a shoplifter, a notification goes to a person who passed a test to be a “super recognizer” — someone with a special talent for remembering faces. Within seconds, the super recognizer must confirm the match against the Facewatch database before an alert is sent.

But while the company has created policies to prevent misidentification and other errors, mistakes happen.

In October, a woman buying milk in a supermarket in Bristol, England, was confronted by an employee and ordered to leave. She was told that Facewatch had flagged her as a barred shoplifter.

The woman, who asked that her name be withheld because of privacy concerns and whose story was corroborated by materials provided by her lawyer and Facewatch, said there must have been a mistake. When she contacted Facewatch a few days later, the company apologized, saying it was a case of mistaken identity.

How Easy Is It to Fool A.I.-Detection Tools?

The New York Times’s Stuart A. Thompson and Tiffany Hsu tested five new services that detect what’s real and what’s AI-generated using more than 100 synthetic images and real photos, showing results that suggest the services are advancing rapidly but sometimes fall short.

[One] image appears to show the billionaire entrepreneur Elon Musk embracing a lifelike robot. The image was created using Midjourney, the A.I. image generator, by Guerrero Art, an artist who works with A.I. technology.

Despite the implausibility of the image, it managed to fool several A.I.-image detectors.

The detectors, including versions that charge for access, such as Sensity, and free ones, such as Umm-maybe’s A.I. Art Detector, are designed to detect difficult-to-spot markers embedded in A.I.-generated images. They look for unusual patterns in how the pixels are arranged, including in their sharpness and contrast. Those signals tend to be generated when A.I. programs create images.

But the detectors ignore all context clues, so they don’t process the existence of a lifelike automaton in a photo with Mr. Musk as unlikely. That is one shortcoming of relying on the technology to detect fakes.

Several companies, including Sensity, Hive and Inholo, the company behind Illuminarty, did not dispute the results and said their systems were always improving to keep up with the latest advancements in A.I.-image generation. Hive added that its misclassifications may result when it analyzes lower-quality images. Umm-maybe and Optic, the company behind A.I. or Not, did not respond to requests for comment.

How Big Is the Cyber Insurance Market? Can It Keep Growing?

Tom Johansmeyer, a Ph.D. candidate in international conflict analysis at the University of Kent, Canterbury, explains in Lawfare Blog offers what he considers a good starting point for understanding the essential characteristics of the cyber insurance market, particularly its size, the size of the cyber reinsurance market on which it depends, where future risk capital could come from, and at what price,

Global cyber market premiums tend to be easier to ascertain in retrospect, and time adds at least a bit of certainty. As a result, recent estimates are most likely to defy consensus, with those for 2023 being the most volatile by nature. The year is still in progress, and market conditions could influence the final result. Conversations with the market players and experts suggest that global cyber insurance premiums could end this year at up to $15 billion. Recent rapid rate increases, however, have slowed—which isn’t a surprise—meaning that a more modest outcome of around $13 billion is more realistic.

For 2022, it’s also fairly difficult to estimate because it’s so recent, but global cyber insurance premiums range from Swiss Re’s $10 billion to Munich Re’s $11.9 billion to as much as $14 billion. Several private sources put the 2022 estimate at around $10-12 billion. These numbers also square with independently calculated estimates of worldwide reinsurance premiums (more on this below). Even at the low end of the 2022 range, global cyber premiums clearly climbed sharply from the 2021 Swiss Re estimate of $8 billion, itself up from only $5.5 billion in 2020.

The high rate of market concentration may contribute to some of the volatility of industry estimates. Despite the high rate of premium growth recently, the cyber insurance market remains highly concentrated. The five largest insurers account for as much as a third of the worldwide total, according to estimates gathered from formal interviews, in conjunction with the market size estimates above. Market share could vary from the range above, but the point nonetheless remains. Further, focus on cyber insurance premiums masks the fact that revenue growth does not mean an increase in protection for end insureds. In fact, premiums have grown far faster than the protection offered for cyber risks.

The amount of cyber insurance limit outstanding is even harder to estimate than premiums. Informal private conversations yield a 2022 range of around $360-500 billion. The estimates at the higher end come from sources who believe that the market shares of the largest players are relatively low, while the lower estimates reflect a belief that market concentration is quite high. A working estimate of $400-450 billion seems to be the right fit, as it would reflect an average rate on line (ROL)—or cost of insurance—ranging from around two and a half percent to a little more than three percent, which seems indicative of the recent rate increases that led to such significant premium growth. There’s still room for people to disagree reasonably, but the range of the potential 2022 premium suggests a limit outstanding of at least close to $400 billion and pretty far down from $500 billion.

Battle For Balkan Cybersecurity: Threats And Implications Of Biometrics And Digital Identity – Analysis

Igor Ispanovic, Azem Kurtic, Gjergj Erebara, Xheneta Murtezaj, and Bojan Stojkovski at Balkan Insight (formerly the Balkin Investigative Reporting Network, BIRN) mapped 40 cases and collated data on notable cyberattacks targeting the Balkan region’s BDI systems into a database and discovered that between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo, and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents.

The research shows a prevalence of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, and limited regional collaboration, have exacerbated the challenges the Balkan countries face in combating cybercrime.

The public sector, banks and individual citizens were primary targets of these cyberattacks. Perpetrators exploited vulnerabilities in the digital infrastructure and security measures of both private and public entities.

A growing reliance on biometrics and digital identity in online banking, e-government services and border control is a key regional trend. Technological advances aimed at improving security and efficiency drove this reliance. However, implementing BDI systems has raised concerns about protecting individuals’ privacy, data, and the potential misuse of personal information.

Addressing cybersecurity threats in the Balkan region requires increased public awareness, improved cybersecurity policies and practices and enhanced regional collaboration.

The Balkan region faces significant risks and opportunities due to its growing reliance on biometrics and digital identity. Balancing security with privacy and data protection is crucial in this context.

The Balkan region has witnessed a significant increase in internet penetration and the integration of Biometrics and Digital Identity BDI technologies into various sectors, BIRN research shows.

Between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents.