Maintaining an open Internet requires trust, a belief in short supply
CISA, DeepSeek, and new sanctions and indictments from the US and EU
Promoting an open Internet safely requires trusted initiatives, which the US is losing
The US pushes a message of the value of an open Internet, and much of the policy it establishes enforces this. Unfortunately, having an open Internet means that instead of putting controls in place to segment the Internet (the opposite of open), governments need to educate and inform citizens quickly. Otherwise, it’s a game of whack-a-mole in slow motion (potential issues arise, regulations to prevent access get put in place (see TikTok), which can take years). CISA had started working to educate and inform citizens in a trusted way. However, many actions have been taken in the past week to limit CISA’s mission. One example: the removal of DHS advisory committees.
Cyber Safety Review Board members removed, threatening national security
What happened: The Trump administration removed all advisors at all DHS advisory committees, including those at DHS CISAs Cyber Safety Review Board. Established in 2022, the board reviewed major cybersecurity incidents and, based on those reviews, gave recommendations to the public and private sector to ultimately enhance our national security.
Take note: Unfortunately, the board was investigating the latest Salt Typhoon attack on US telecommunications providers, including Verizon, T-Mobile, AT&T, and several others. Salt Typhoon is a threat actor operated by China's Ministry of State Security. The attack gave Chinese government hackers knowledge on who the Justice Department is currently wiretapping (so they could identify what Chinese spies are being tracked), and likely the phones of Donald Trump, JD Vance, and staff in Kamala Harris' campaign, among other US citizens in the DC area. The investigation is now paused indefinitely, and as such, no security recommendations will be released to the public.
The response: The salt in the wound is that, now six months later, the attackers still have a foothold in some of the US telecom providers. Meanwhile, the Treasury’s Office of Foreign Assets Control just sanctioned a company associated with Salt Typhoon.
If the name Salt Typhoon seems odd, there's a reason: different security companies name the attacker groups they identify if they have high confidence in its accuracy. Check out how Microsoft names its threat actors here.
Governments need faster methods to advise the public on security and privacy
The way governments advise citizens on tech (and the way they don’t) isn’t working. Technology companies and citizens are moving faster than governments can keep up. On the one hand, this is good news - government systems slow down processes that, if done quickly, can be abused. However, government tech policy and, at the very least guidance on tech to the public, moves too slowly and in too cumbersome of a way to inform or protect citizens. The latest instance of this: DeepSeek.
Chinese AI startup DeepSeek generates buzz before being hit with cyberattack
What happened: DeepSeek is an AI startup out of China that has built an AI model that claims to perform on par with OpenAI’s ChatGPT at a much cheaper price. It released its app last week, which gained massive adoption on the iOS App Store and is currently ranked #1 on the Top Free Apps section above ChatGPT. This all caused US tech stocks to tumble on Monday. Shortly after, DeepSeek announced it has been hit with a cyberattack, causing it to limit registrations. Any guesses as to who targeted it or why would be pure speculation at this point.
Take note: A week ago we talked about how the US government moved to ban TikTok because of its potential national security ramifications, what with it being a Chinese company. We currently have thousands (up to a million, including the App Store) of people downloading another piece of Chinese software (DeepSeek) and putting various information into the tool. Further, DeepSeek explicitly says it can collect “your text or audio input, prompt, uploaded files, feedback, chat history, or other content” and use it for training purposes. It also states it can share this information with law enforcement agencies, public authorities, etc. at its discretion. Be careful how you use DeepSeek and what information you put into it.
Sanctions and indictments are one important step to erode the power of nation-state threat actors
Over the past few years, governments have indicted and sanctioned individuals from some of the most prolific nation-state threat actors. On the one hand, these actions should be lauded - determining the identity of individual hackers is very challenging, and is one of the ways we can dissuade individuals from participating in these activities. However, beyond public shaming, the indictments rarely have teeth. You can’t prosecute a foreign national if its nation of origin refuses the extradition, which these nations most certainly do. Further, taking down individuals within the apparatus is not the same as taking down the apparatus itself. To address this, governments are actively working on initiatives like Operation Toy Soldier, which is an international effort to combat efforts by Unit 29155 of the GRU through multiple methods.
DPRK attackers indicted by the US Justice Department
What happened: The US Justice Department indicted multiple North Korean nationals and several others for their part in a multi-year fraud scheme to generate revenue for the DPRK. The scheme, perpetrated by the DPRK attacker group Famous Chollima, involved North Koreans pretending to be American workers so they could get hired for IT jobs at least 64 different US companies. They were completing their day-to-day work in the IT jobs while stealing as much data as possible from these companies.
Take note: The DPRK is notorious for using cyberattacks like these to fund some of its most crucial military programs, including its nuclear program.
If the name Famous Chollima seems odd, there's a reason: different security companies name the attacker groups they identify if they have high confidence in its accuracy. Check out how CrowdStrike names its threat actors here.
Russian attackers sanctioned by EU
What happened: Three Russian officers were sanctioned by the EU for their work stealing thousands of classified documents from government ministries in Estonia. The sanctions freeze individual assets, impose a travel ban, and prohibit anyone in the EU from providing funds to them. The US Federal Bureau of Investigation also issued warrants for two of these men in August 2024.
Take note: The attackers are part of the General Staff of the Armed Forces of the Russian Federation (aka GRU) Unit 29155. GRU Unit 29155 is well-known for targeting Ukrainian government systems and critical infrastructure in the US and other Western nations, among other destructive activities.
I want to hear your perspective. Have thoughts on this? Write me a comment below!