Welcome to The Cybersecurity 202! I’m back in the sky. San Francisco twice in two months!
Below: A roundup on the latest news surrounding the Discord Leaks, and Israel’s parliament is probing Pegasus. First:
Leaked document: U.S. government ‘zero trust’ could face reckoning from Chinese hackers within 5 years
China’s government is testing capabilities to get around a cybersecurity model that the federal government has embraced — and that testing, combined with “advanced infiltration techniques,” will “probably” allow Chinese access to some government networks protected by the model within the next five years, according to a leaked classified document that hasn’t previously been reported.
Both the Defense Department and the White House have made the “zero trust” model a cybersecurity priority. An oft-ambiguous buzzword, zero-trust includes continuously requiring user identity verification, limiting access and operating under the assumption that attackers have breached an organization’s networks. Documents detailing President Biden’s proposed 2024 budget don’t lay out a specific amount for projected zero-trust spending, but at a minimum it’ll cost the government billions of dollars for years to come.
According to the document, which has a top-secret marking and was posted on Discord alongside a massive tranche of likewise-leaked documents, the People’s Liberation Army of China is working to breach defenses used in Defense Department and other U.S. government zero-trust networks.
“The PLA is seeking to improve virtual environments for testing its cyber capabilities, which when combined with advanced infiltration techniques, probably will enable China to access some USG and DOD networks that are protected by zerotrust architectures (ZTA) within the next 5 years,” reads the document, which is dated Feb. 23, 2023.
The document is labeled as an Office of the Director of National Intelligence (ODNI) summary of reporting by the U.S. intelligence community. It has a marking indicating that the information was collected via sensitive signals intelligence, which typically means it originated from sources like foreign communications intercepts.
- The ODNI did not respond to a request for comment.
- A marking at the end of the document includes the initials of the Defense Intelligence Agency, which did not respond to a request for comment.
It’s not clear how China might specifically test cyber capabilities to get around zero-trust defenses, since zero trust is more an idea than a single product and can be an amalgamation of different defensive tools, like multifactor authentication and advanced decryption.
State of DOD zero trust
Asked about the feasibility of China developing tools to access some zero-trust protected U.S. government and Defense Department networks within five years, a senior U.S. defense official told The Cybersecurity 202 that “it would be a concern to me.”
But the department is constantly scrutinizing enemy intentions and testing defenses, the official said, speaking on the condition of anonymity to discuss sensitive matters.
- Those tests, the official said, have shown the defenses holding up well.
- “I have great confidence that it’s very, very strong security,” the official said. “We are not working under the illusion that it is going to be the absolute answer, or that the enemy couldn’t get a foothold on a specific computer or specific website or something like that. The goal of this, from the beginning — we never said it was going to stop the adversary from getting a foothold. What we want to do is stop them from living in our networks undetected for months, years at a time” and “constrict movement.”
The Defense Department published its first zero-trust strategy in November. It’s an extensively detailed document about the department’s plans to achieve its target level by September 2027.
“Zero trust is a buzzword that you hear out there and have for many years,” the official said about the strategy. “We wanted something tangible that people could look at and say, ‘I know I’ve achieved zero trust or have not achieved zero trust yet.’”
- “For a lot of both cultural and historic reasons, DOD has gotten much farther than most” with zero trust, said Ryan Kalember, executive vice president of cybersecurity strategy at the cyber firm Proofpoint. (Proofpoint has DOD and civilian-agency customers.)
The breach of SolarWinds, which first emerged in 2020 and subsequently allowed alleged Russian hackers to penetrate federal agencies and major companies (including some defense firms, but not DOD itself) allowed DOD to highlight the importance of zero trust, the official said.
“An advanced persistent threat adversary breaking through our perimeter and then rummaging around on our networks stealing our data and such, and also the insider threat — we feel like zero trust is well-postured to tackle all of those things,” the official said. “We’re doing quite well, from where we started.”
The enterprisewide DOD zero-trust budget over the next five years is between $1.5 billion and $2 billion, the official said. But individual services and agencies come up with their own plans. The Army’s fiscal 2024 request alone is $439 million. The department also has set up a Zero Trust Portfolio Management Office.
“We are talking a significant amount of money and the department as a whole is strongly behind this,” the official said. “It is very much like pushing an open door when we talk about this. As long as we can justify what we’re spending the money on, the department’s been very good about funding this and right now we don’t have any unmet costs going forward.”
That doesn’t mean there aren’t weaknesses or challenges within zero-trust capabilities.
- For instance, the official said the Defense Department has more work to do on automation. “We want to take the human out of the loop as much as possible by training the environment to look for the anomalous behavior and react automatically,” the official said. “We’re not far along there.”
- “Would I like to go faster?” the official asked. “Heck yeah.” But, “I see us on schedule. Everyone’s swimming in the same direction.”
State of civilian zero trust
Less than six months after he was sworn in, President Biden signed an executive order for federal agencies to begin implementing zero trust. The Office of Management and Budget published a strategy in January 2022 that requires agencies to meet certain zero-trust goals by September 2024. Just this month, the Cybersecurity and Infrastructure Security Agency published a road map for agencies on zero trust.
Both CISA and the OMB declined to comment for this story.
A November 2022 Government Accountability Office briefing memo on zero trust said one concern for implementing zero trust in the federal government is whether various tools would fit together, including when agencies add new tools to existing ones.
And no system is perfect. “No matter how good of security they put in place there are always going to be hitches in the armor, ways to bypass it,” Gary Barlet, federal field chief technology officer for cybersecurity company Illumio, told me. (Illumio also has both Defense Department and civilian-agency customers.)
FBI investigates document leak
The FBI has been interviewing members of the Discord server where hundreds of classified documents were shared in the wake of the arrest of Jack Teixeira, a member of the Massachusetts Air National Guard who is accused of posting of the documents.
The FBI spoke to friends of Teixeira who chatted with him on the Discord server where the documents were shared, our colleagues Shane Harris, Samuel Oakford and Devlin Barrett reported Friday, citing people familiar with the matter.
“The questions included how members of the server first came to know Teixeira, what video games they played together and whether any of the members were foreign nationals, these people said, speaking on condition of anonymity to discuss interactions with law enforcement officials,” our colleagues write.
- The Post previously reported that foreign nationals were present in the server, though it was not clear if the FBI was able to corroborate that. The agency has seized one server member’s electronic devices, our colleagues write.
A trove of documents appears to have been posted to a large group early last year, the New York Times’s Aric Toler, Malachy Browne and Julian E. Barnes reported Friday. One of Teixeira’s friends previously told The Post that he began posting documents last year.
- “In February 2022, soon after the invasion of Ukraine, a user profile matching that of Airman Jack Teixeira began posting secret intelligence on the Russian war effort on a previously undisclosed chat group on Discord. … The chat group contained about 600 members,” Toler, Browne and Barnes write. It’s not clear if authorities are aware of this other group, they report.
The leaks are putting the government under pressure to overhaul its top-secret clearance process, Ben Kesling and Dustin Volz reported Sunday for the Wall Street Journal. “Do we have to go through every part of the military and every part of the intel community and have a leak at each of these entities before we put into place best practices?” Sen. Mark R. Warner (D-Va.) told the Journal in an interview.
Israeli parliamentary panel to probe Israeli police use of spyware
A Knesset committee will establish a panel to probe Israeli police use of spyware against Israeli citizens, Ash Obel reports for the Times of Israel.
“Persistent accusations have alleged that police have access to a watered-down version of Pegasus, known as Saifan, which reportedly allows police access to Israelis’ phones, including the ability to covertly listen to conversations,” Obel writes.
The subcommittee, set to be nested under the Knesset’s Constitution, Law and Justice Committee, will only include a few members due to the sensitive nature of the committee’s business, according to a statement from chair MK Simcha Rothman. The committee will look into a report last year by Israel’s deputy attorney general on police use of spyware, according to the statement.
The U.S. government in 2021 added Israeli spyware maker NSO Group to its “entity list,” which restricts the company from receiving American technologies, after finding that the Pegasus maker’s tools were used to “maliciously target” activists, journalists and government officials. Last month, a group of U.S. allies called for “strict domestic and international controls on the proliferation” of spyware. The list of signatories did not include Israel.
Securing the ballot
MIT and Stanford researchers develop operating system with one major promise: Resisting ransomware (CyberScoop)
- Interpol Cybercrime Director Craig Jones, CISA official Eric Goldstein, NIST Deputy Chief Jon Boyens, NSC official Steven Kelly, Deputy Attorney General Lisa Monaco and former CISA director Chris Krebs speak at the RSA conference today.
- The Center for Strategic and International Studies holds an event about open-source investigations in the age of Google at 1 p.m.
- The Carnegie Endowment for International Peace holds an event titled “Digital Authoritarianism: A Growing Threat” at 2 p.m.
- Senate Armed Services Committee Chair Jack Reed (D-R.I.) speaks at a virtual fireside chat with the Center for a New American Security at 3 p.m.
Secure log off
Thanks for reading. See you tomorrow.