Musk clearly didn’t consult with the competent CISOs at OMB, Treasury, and US AID

There's been grumbling lately about the Common Vulnerability Scoring System, so I looked more closely at whether the industry is ready to move on from the ubiquitous system. Check out what I found in my latest piece for Cyberscoop.

On Tuesdays and Thursdays, our premium subscribers have full access to our original content, expansive summaries, intelligently clustered related articles, our best and worst things of the day, and our customary closing thoughts.

So, please consider upgrading your subscription today to access this content along with Metacurity's complete archives.

Summary of the most critical infosec developments you should know today (complete postings available below to premium subscribers)

• A young technologist, Edward Coristine, known online as “Big Balls,” with a checkered professional and online history who works for Elon Musk's so-called Department of Government Efficiency (DOGE), has access to sensitive US government systems.
• Congress is getting vocal about the privacy and security implications of Elon Musk and his cohorts at the Department of Government Efficiency accessing federal systems.
• Employees of the agency, now known as DOGE, have been ordered to stop using Slack while government lawyers attempt to transition the agency to one not subject to the Freedom of Information Act.
• South Korea's industry ministry has temporarily blocked employee access to Chinese artificial intelligence startup DeepSeek due to security concerns as the government urges caution on generative AI services.
• Researchers at Feroot report that the website of the Chinese artificial intelligence company DeepSeek has computer code that could send some user login information to a Chinese state-owned telecommunications company China Mobile that has been barred from operating in the United States.
• The Italian government said that a spyware campaign revealed by WhatsApp and carried out with spyware made by Paragon Solutions targeted people across several European countries. 
• European prosecutors are examining how the Moscow office of the French IT group Atos used staff in Russia to buy software in 2021 for the highly sensitive new EU electronic border system, which aims to gather and store biometric data on all non-EU visitors to the EU.
• Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
• Despite a prior understanding, former US Secretary of State Antony Blinken recently requested the extradition of an Israeli citizen known as the "Ashkelon hacker" after he was released from prison in Israel and later arrested in Oslo at Washington’s request.
• Researchers at Kaspersky report that Android and iOS apps on the Google Play Store and Apple App Store contain a malicious software development kit (SDK) designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR) stealers.
• The US Federal Communications Commission (FCC) proposed a $4,492,500 fine against VoIP service provider Telnyx for allegedly allowing customers to make robocalls posing as fictitious FCC "Fraud Prevention Team" by failing to comply with Know Your Customer (KYC) rules.
• Engineering firm IMI revealed it had been hit by a cyber attack just a week after rival Smiths Group said hackers had gained access to its global systems.
• Researchers at Abnormal Security report that a help desk phishing campaign targets an organization's Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections.
• The San Francisco-Marin Food Bank disclosed a data breach affecting over 60,000 people.
• ​CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.
• Application security startup Semgrep announced it had raised $100 million in a Series D funding round.

Cleary Musk didn’t consult with the competent CISOs at OMB, Treasury, and US AID

While teenagers, or those just barely out of their teens, with dubious security clearances rummage around in sensitive US federal systems, possibly violating federal cybersecurity and privacy laws and maybe spreading malware and inviting US adversary hacks along the way, qualified chief information security officers (CISOs) are at the top of the plundered government agencies.

They no doubt are watching with increasing alarm the Musk DOGE workers possibly burn to the ground any security measures they oversee.

Almost certainly compounding those CISOs' anxiety is the recent move by Donald Trump to politicize the roles of federal government chief information officers (CIOs) to whom those CISOs report.

Over at OMB, Michael Duffy is the agency's CISO and the interim Federal Chief Information Security Officer, where he is responsible for driving cybersecurity policy development and adoption, overseeing strategy alignment and implementation efforts, and ensuring cyber program improvement and maturation across the entire Federal Government.

Duffy has legitimate credentials for the job. He was most recently the Associate Director for Capacity Building within CISA's Cybersecurity Division, is a two-time recipient of the Secretary of Homeland Security's Meritorious Service award for his contributions to national-level cybersecurity, and chairs the Federal Chief Information Security Officers (CISO) Council, the primary body for interagency CISO collaboration and communication, among other accomplishments.

The US Treasury Department likewise has a competent CISO in Christopher Adams. Adams has over 15 years of IT experience, including over a decade in various security and CIO roles in the Air Force, a stint as CIO at the National Space Defense Center, and private sector cybersecurity experience. He holds multiple master of science degrees in IT and digital forensics.

Another government agency that Musk and his young workers targeted is the US Agency for International Development, or US AID, which now may be doomed due to the rapidly moving destruction that Musk and Trump are wreaking on the federal government. It also has a qualified CISO, Steve Hernandez, who was previously the Department of Education's CISO and worked in information security at the Department of Health and Human Services' Office of Inspector General. He has been the co-chair of the United States Federal Chief Information Security Officer Council since 2018.