With help from Maggie Miller
— A top NSO Group official tells MC the spyware company is tired of the scrutiny it’s receiving and would welcome new regulations to prevent spyware abuses.
— Recent Russian ransomware attacks targeting the Costa Rican and Peruvian governments should worry U.S. officials about possible infrastructure attacks, threat analysts warn.
— Washington cyber officials and lawmakers have a busy week ahead with congressional hearings, industry events and transatlantic meetings. MC breaks down the ones to watch.
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin, and I am both surprised and upset by how much I relate to this lost delivery robot wandering through the woods as I settle into the week.
Have any tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you’ve got to [email protected]. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it:
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
WE’RE NOT GONNA TAKE IT — A top executive at Israeli company NSO Group is punching back at widespread criticism from governments and researchers that its spyware Pegasus is used to target governments and not to combat terrorism.
“We know how many lives have been saved because of Pegasus around the world — including big terror attacks that were prevented because of Pegasus,” Ariella ben Abraham, a global communications executive at NSO told Maggie during an interview last week.
The company has faced a wave of scrutiny in recent years as report after report details the ways users of its spyware have abused the technology — which can be installed on a victim’s phone and collect data without them noticing — to spy on officials across Europe, the Middle East, Central America and beyond, including one just last month detailing the surveillance of Catalan politicians and activists. And those reports have hit NSO Group pretty hard: The United States blacklisted the company late last year due to concerns about abuse, and NSO has been struggling to find a buyer to take over parts of its business.
— Making changes: But Abraham argues the scrutiny is excessive, especially considering the good work the technology has accomplished and the business changes it’s made to prevent abuse. The company also now works closely with the Israeli government, and each potential new contract is required to be approved by the country’s defense ministry.
An NSO spokesperson also said the company has refused sale requests from private sector companies and that NSO terminates contracts if the spyware was misused.
“There is a big need for tools like this with law enforcement agencies as there is no other way to catch pedophiles, to catch terrorists, operating on the web,” Abraham said. “That is where they operate, and this is the only solution, using tools like this.”
— The other side: But top officials and researchers still argue that NSO Group’s technologies do way more harm than good.
“They’ve been claiming for ages that they are the good guys,” Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, told Maggie during a phone call last week. “I hope that democracies are not going to just take this NSO statement that spyware is going after terrorists and pedophiles at face value.”
John Scott Railton, a senior researcher at Citizen Lab and one of the authors of the recent report, also told Maggie it’s unlikely the company will make meaningful changes: “Whatever it is they are doing, it’s clearly not working, because there are now hundreds of documented cases and growing.”
— Bring it on: Abraham said NSO would welcome more regulation spelling out who the company can — and cannot — sell their spyware to and prevent future abuses of its tech “like the Geneva Convention for the cyber intelligence industry.”
A NEW RANSOMWARE WAVE — When the war in Ukraine began nearly three months ago, Russian ransomware gangs, in particular, went relatively quiet. Now, ransomware analysts warn that a string of high-profile ransomware attacks could mean these gangs are back up-and-running and could even expand their list of targets to include more Western organizations.
“[As of] about three weeks ago, they seem to be back in full force,” said Chester Wisniewski, a principal research scientist at Sophos.
— Top of mind: Last week, the Costa Rican government declared a state of emergency as it struggles to recover from a Conti ransomware attack. The same gang is claiming to have attacked the Peruvian government (and has even posted supposed data from the Peruvian intelligence agency on its dark web leak site).
In the last few months, gangs have been recovering from the impact of the Russian war in Ukraine on their own organizations. Many of the Russian gangs work with hackers based in Ukraine and other allied countries around the world, but the war has made it difficult for them to continue to work together — leaving ransomware gangs with their own supply chain issues to work through, Wisniewski said.
But attacking two national governments is a clear sign that they’re back up-and-running, Wisniewski said, and that could make officials overseeing the security of the United States critical infrastructure really nervous.
“It’s unlikely DoD or things like that are in a security state that would enable Conti to just walk in and ransom them, but that’s not necessarily true for the 3,700 water processing facilities around the country,” Wisniewski said.
— Coincidence? Last year, the Colonial Pipeline faced an attack in early May, and five years ago, the WannaCry ransomware attack, which hit more than 200,000 computers in 150 countries, also happened during the same week. “It does feel like this is the week, in general, that bad ransomware things happen,” said Allan Liska, a ransomware-focused analyst with Recorded Future.
GETTING TO IT — From lawmakers on Capitol Hill to transatlantic officials gathering in France, the week ahead is stacked with notable cyber meetings, summits and legislative markups to keep tabs on. MC breaks down the dizzying number of scheduled events this week so you can plan ahead:
— Congressional huddles: The weeks before a holiday recess are always the most intense on Capitol Hill, and this week in cyber legislative actions is no exception. On Tuesday, the House Homeland Security Committee cyber subcommittee will host officials from CISA, the Office of the National Cyber Director, Commerce’s National Institute of Standards and Technology and the General Services Administration to discuss ways to secure federal networks. The next day, two hearings will focus on the extent of threats to U.S. critical infrastructure: the Senate Health, Education, Labor and Pensions Committee will discuss cyber threats to schools and hospitals, and a subcommittee of the House Foreign Affairs Committee will dive into Russian cyber threats.
— Transatlantic sit downs: Several tech groups are also pushing to see encryption and data protection issues discussed at the upcoming U.S.-EU Trade and Technology Council meeting, which kicks off today and goes through Tuesday. The Software & Information Industry Association is recommending that a few of the council’s working groups establish pilot programs during this week’s meeting to test advances in encryption and other privacy-enhancing technologies, while the Information Technology Industry Council is pushing to see the council start focusing on standardizing data storage and privacy laws across the two regions.
— Industry event appearances: A handful of Biden administration cyber officials — including CISA Director Jen Easterly, National Cyber Director Chris Inglis and deputy attorney general Lisa Monaco — will also give remarks Friday at Institute for Security and Technology’s ransomware event. The event celebrates the first year of the Ransomware Task Force, a group housed at the institute of industry, government, and civil society officials who propose solutions to the ransomware problem.
TARGETING UKRAINE’S INTERNET — The State Service of Special Communication and Information Protection of Ukraine, the country’s top cyber agency, warned Friday of Russian forces attempting to intimidate Ukrainian internet service providers into connecting to a network controlled by Russia’s intelligence services. SSSCIP also said that “terrorists from the so-called Russian Guard” invaded the office of Kherson-based company Status and “disconnected all communication equipment” and are now blackmailing the company’s management into connecting to Crimea’s networks.
“That is a gross violation of the international law,” SSSCIP said in a news release. “We record all such incidents and will use them as evidence in the suits against Russian criminals to be investigated by international competent courts.”
— Keith Jones is leaving his role as chief information officer at the State Department to return to the private sector. His last day is June 17, and principal deputy CIO Glenn Miller will become acting CIO in the interim.
From Matthew Green, a cryptography professor at Johns Hopkins University: “My students asked me: how low does the price of Bitcoin have to go before ‘crypto’ means cryptography again?”
— NSA cyber lead Rob Joyce says the federal government’s forthcoming, quantum-proof encryption standards won’t include a “backdoor” for spying. (Bloomberg)
— Lincoln College president David Gerlach said a ransomware attack was “only adding insult to injury” after years of low enrollment, forcing it to close its doors on Friday. (The Record)
— The Congressional Budget Office estimates it would cost $10 million over the next five years to implement the Improving Cybersecurity of Small Businesses, Nonprofits and Local Governments Act (S. 2483).
— Italian police say they thwarted a pro-Russian hacking attempt on both the semi-final and final rounds of the Eurovision Song Contest this month. (Reuters)
— “2 Visions Clash Over How to Fight Online Child Abuse in Europe.” (Wired)
Stay in touch with the whole team: Eric Geller ([email protected]); Konstantin Kakaes ([email protected]); Maggie Miller ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).