Welcome to Metacurity’s Friday Report where we wrap up the week’s infosec news according to the big themes that emerged during the week.
First, this past week was slightly quiet in terms of cybersecurity news but as seems to be the case over the past several months, the most eye-popping news dropped on Friday. In the first big Friday news drop, Daily Beast reporters were told by numerous sources that from around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to a compromise of the CIA’s internet-based covert communications system used to interact with its informants. The compromise started in Iran but spread outward, resulting in the deaths of dozens of people and possibly leading to similar moves by China, which led to equally disastrous outcomes.
The second bombshell of the week came from the Center for Public Integrity, which posted an in-depth report, worth reading in its entirety, which said that in preparation to defend against an electronic attack by Russia against the 2018 midterm elections, the U.S. intelligence community and the Pentagon have quietly agreed on the outlines of an offensive cyberattack. The move indicates that the U.S. is more formally integrating offensive cyberattacks into its military planning and is making good on new powers handed to the military under a Trump presidential memo designed to allow Defense Secretary James Mattis and Director of National Intelligence Dan Coats to approve retaliatory strikes without the approval of others in the government.
On the heels of news that Cyber Command was sending “I-see-you” messages to Russian operatives in an effort to stave off Russian cyberattacks, National Security Adviser John Bolton said earlier in the week, without mentioning any specifics, that the U.S. is undertaking offensive cyber operations to protect next week’s midterm elections but that it is too soon to tell whether they are effective. They may very well have been effective because Russia has indeed thus far been strangely inert when it comes to election-related hacking, something that leaves some experts reassured but makes other experts paranoid about last-minute surprises.
China, on the other hand, has continued to get battered as the bad-guy of the year by the Trump Administration. The week started out with a Commerce Department ban on goods from Chinese state-backed chipmaker Fujian Jinhua citing security concerns. Then, a government-backed watchdog group accused China of exporting its “digital authoritarianism” to other countries around the globe.
For the third time since September, the Justice Department brought charges against Chinese intelligence officers and their recruits for trying to steal U.S. intellectual property, unsealing an indictment from October 25 against 10 Chinese spies, hackers and others accused of conspiring to steal sensitive commercial airline and other secrets from U.S. and European companies.
After that, the Justice Department unsealed charges against several individuals and Chinese and Taiwanese companies for trade-secret theft while unveiling a broad initiative to combat what the administration says is growing economic cyber activity by China. Fujian Jinhua was central to that complaint and was accused of trying to learn trade secrets through the criminal acts of former employees of semiconductor company Micron’s Taiwan branch.
A lot more happened this week, so check out our homepage or scan the week’s top news by going to our Snacks page for quick scroll down the summaries.
With that, we leave you with this bit of video that shows just why password security is currently an oxymoron among most infosec professionals:
SE never fails?? pic.twitter.com/ZMRpxjY8cf
— Snazzy Sanoj (@snazzysanoj) October 28, 2018
Be safe and be sane out there. And when you get a chance, don’t forget to support Metacurity by becoming a patron. If you like Metacurity, please consider becoming a patron. We really need your help! Thank you.
Feature image By by Linda D. Kozaryn (http://www.defenselink.mil; VIRIN: 20007122d;) [Public domain], via Wikimedia Commons