Elon Musk knows jack about cybersecurity

Don't miss my latest CSO piece that examines how Musk's DOGE effort could spread malware across the US government and expose critical government systems to threat actors.

On Tuesdays and Thursdays, our premium subscribers have full access to our original content, expansive summaries, intelligently clustered related articles, our best and worst things of the day, and our customary closing thoughts.

So, please consider upgrading your subscription today to access this content along with Metacurity's complete archives.

Summary of the most critical infosec developments you should know today (complete postings available below to premium subscribers)

• Federal prosecutors charged Canadian fugitive Andean Medjedovic with stealing $65 million in cryptocurrency from a pair of crypto platforms and also with laundering his illegal gains.
• Last fall, the US Agency for International Development learned a cryptojacking incident hit it after Microsoft notified it that a global administrator account located in a test environment had been breached through a password spray attack.
• Security intelligence specialist VulnCheck reports that the 2024 calendar year saw a total of 768 CVE-listed vulnerabilities come under fire from threat actors in the wild, a 20% increase from 2023 when 639 vulnerabilities were actively attacked.
• In a new policy document, Meta suggests that there are certain scenarios in which it may not release a highly capable AI system it developed internally if they are deemed "high risk" or "critical risk" systems.
• Artificial intelligence startup Anthropic has demonstrated a new technique to prevent users from eliciting harmful content from its models as leading tech groups, including Microsoft and Meta, race to find ways to protect against dangers posed by cutting-edge technology.
• The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability that has been exploited in the wild.
  Columbus Mayor Andrew Ginther's office said citizens' private health information was compromised when hackers infiltrated the city of Columbus computer systems last summer.
• Food delivery company GrubHub disclosed a data breach impacting the personal information of an undisclosed number of customers, merchants, and drivers after attackers breached its systems using a service provider account.
• Two more Texas Health and Human Services Commission employees have been fired for accessing the private information of Texans seeking public assistance in the state’s Medicaid, food stamps, and other programs.
• The January breach of PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students across North America, has the potential to be one of the biggest breaches of the year, and yet the company is keeping mum about many important details.
• With Trump now in office, the most dire straits that some opponents were advocating for the Cybersecurity and Infrastructure Security Agency appear to be off the table.
• French cybersecurity startup Riot announced it had raised $30 million in a Series B venture round.

Elon Musk knows jack about cybersecurity

As the phenomenal infiltration of US government digital assets by Elon Musk and his band of very young men continues, one thing is clear: Elon Musk knows jack about cybersecurity.

As my piece in today's CSO Online attests, along with excellent reporting from some top infosec journalists and superb ongoing scoops from Wired and traditional media outlets, the US is likely in for a world of hurt once malicious threat actors have acted on the enormous security bungling by Musk's team. Financially motivated criminals and nation-states might steal every secret the government harbors and exploit every critical weakness exposed by the crew's sloppy cybersecurity efforts.

Some think Musk is a genius for becoming the world's richest man. But when it comes to protecting digital assets, Musk is no savant. When he took over Twitter, he fired virtually all of the social media network's trust and safety crew, along with most cybersecurity employees.

"Elon Musk does not imbue some sort of special cybersecurity veil. His SpaceX and Tesla have both been hit hard by data breaches," Mark Montgomery of the Foundation for the Defense of Democracies tells Metacurity. "There's nothing special about Elon Musk and cybersecurity. He's just as weak or strong as everyone else. And so, the fact that you're a brilliant businessman has almost nothing to do with being with properly following cybersecurity governance rules."