One of the most straightforward cybersecurity solutions has become unnecessarily confusing and overhyped as the government pushes to see it implemented, security experts warn.

The big picture: Ever since 2020's SolarWinds cyber espionage campaign, the Biden administration and security vendors have been encouraging companies — especially tech vendors for the federal government — to create what's known as a software bill of materials (SBOM).

• An SBOM is a nested ingredient list of what components make up a piece of software, including what open-source programs and other tech stacks it pulls from.
• Security defenders can use the list to see if their own networks are vulnerable when another vendor faces a cyberattack — or executives can use it to decide if they want to purchase a company's possibly vulnerable software.
• For example, when researchers detected a critical security flaw in the Log4j logging tool in late 2021, organizations could've turned to SBOMs to see if their own products included the vulnerable version of the tool.

How it works: Putting together an SBOM requires time to pull all relevant data and format the list in a usable way, Nurit Bielorai, go-to-market manager at Israel-based Aqua Security, told Axios.

• "You can always export data and get the version that you need to meet all the requirements," Bielorai said of the SBOM creation process.
• Organizations mostly need help figuring out how to make their SBOMs readable so they can figure out where they're vulnerable.

Yes, but: Many software vendors aren't ready to invest the needed time and money into fixing the security flaws that SBOMs will highlight, Alex Santos, CEO at Fortress Information Security, told Axios.

• A lot of software is built quickly to ensure developers and their employers can push high-demand products out the door.
• But prioritizing speed often leads to insecure products, and many times developers have to completely rebuild their products to patch security holes, Santos said.

What they're saying: "I think people are acting confused about SBOMs because when they start thinking about where the puck is going, they're like, 'I'm going to have to replace these pieces,'" Santos said.

Zoom in: President Joe Biden's 2021 cybersecurity executive order started the process of requiring federal contractors to provide government customers with an SBOM for their products.

• Shortly after, the Commerce Department's National Telecommunications and Information Administration released "minimum elements" for what those SBOMs should look like.
• Now, the Biden administration's first cybersecurity strategy, released earlier this year, takes the effort a step further by attempting to make software makers liable for the unpatched vulnerabilities in their software. An SBOM would help reveal those known but unpatched flaws.

The intrigue: SBOMs' capabilities tend to get overinflated. In reality, all a list does is provide much-needed transparency into the security of a company's tech stack.

• "We're calling these things 'SBOM' when we should be calling them 'software quality' or 'software security,'" Santos said. "SBOMs are the tool that you use in order to get transparency."

Between the lines: Major tech vendors have been pushing back against the administration's SBOM mandates, arguing the tool is too early-stage for agencies to find useful or readable.

• Corporate lawyers are also skittish about vendors publishing their SBOMs online or sharing them with potential customers because it could make them liable in any future attacks that exploit their products, Santos said.

What's next: Security experts are eyeing the Biden administration's soon-to-be-released implementation plan for its national cyber strategy, expecting it to help answer questions about how publishing an SBOM will fold into liability plans.

The ransomware gang believed to be behind an ongoing attack on the City of Dallas' systems is made up of some familiar characters.

The big picture: Royal ransomware is thought to include former members of Conti, another notorious, but defunct, Russian ransomware gang, researchers at Palo Alto Networks said in a report released Tuesday.

• Conti disbanded nearly a year ago after targeting a long list of cities, public schools and even the country of Costa Rica.
• The group was well organized: It had a human resources department and formal interviewing processes for new members.
• Now, researchers believe several former core Conti members are behind the Royal gang — and they're furiously targeting public services.

Driving the news: Dallas is one of Royal's most recent targets, prompting the city last week to shut down some of its courts and disrupting some of its 911 emergency services.

• The city government said in an update Monday that the online 911 system was still being retested to ensure the malware is gone.

By the numbers: Royal has targeted seven local government entities, including the City of Dallas, since 2022, according to the Palo Alto Networks report.

• Royal has also hit 14 educational institutions since then, per the report.

Yes, but: Pinning down the exact numbers and victimology for ransomware gangs is tricky, considering many organizations never report that they even faced such an attack.

• Most reports, including Palo Alto's, rely on local news reports, social media listings and any information that the gang has published on dark web sites to extort victims.

Between the lines: It's pretty common for ransomware operators to rebrand their gangs to obfuscate who they are and make it harder to track trends in their attacks.

• The members of Royal are also believed to have helped develop Ryuk ransomware, the gang that rebranded as Conti in 2020.

Employees at Fortune 1000 telecommunications companies are some of the most exposed on dark web sites, according to a report released today.

What's happening: Researchers at threat intelligence firm SpyCloud found 6.34 million pairs of credentials — including corporate email addresses and passwords — that likely belong to telecommunications company employees.

• Those 6.34 million credentials spanned just nine Fortune 1000 telecom companies. That's an "extreme" rate compared to other sectors, the report notes.
• In comparison, SpyCloud discovered 7.52 million pairs of credentials belonging to tech sector employees — but those employee logins spanned 167 Fortune 1000 companies.

Why it matters: Telecommunications companies remain ripe targets for malicious hackers eager to steal customers' sensitive phone and financial data.

• Yet these companies struggle compared to other high-risk sectors to keep their systems secured due to poor vendor security.
• Last week, T-Mobile disclosed its second data breach in 2023 alone.

The big picture: Hackers still have a lot of success using simple techniques — such as relying on stolen passwords or tricking individual employees into sharing their passwords — to launch impactful attacks.

• A breach at Uber last fall started with hackers targeting employees by posing as someone from the IT team and sending repeated multifactor authentication requests until an employee approved them.
• Ransomware attackers gained access to Colonial Pipeline's online systems in May 2021 using a former employee's leaked password.

Yes, but: Not every pair of credentials will still work, according to SpyCloud's report.

• But "the ones that do match or even have a partial match represent substantial risk for these enterprises," the report says.

@ D.C.

🌐 The U.S. Department of Justice seized the domains of 13 DDoS-for-hire services. (Ars Technica)

💳 The Biden administration is weighing whether to ban ransomware payments. (Cybersecurity Dive)

@ Industry

🪙 OpenAI CEO Sam Altman's iris-scanning startup, Worldcoin, released its crypto wallet, World App. (CoinDesk)

🔑 Now that Google has implemented passkeys on personal accounts, here's how they work and why they're more secure than passwords. (Ars Technica)

@ Hackers and hacks

💰 California's San Bernardino County paid ransomware hackers roughly $500,000 to unlock the sheriff's department's computer systems. (Los Angeles Times)

🏥 NextGen Healthcare, an electronic health record software provider, said hackers stole the data belonging to more than 1 million patients last month. (TechCrunch)

🍎 Ransomware hackers leaked nearly 200,000 files tied to sensitive student and educator information stolen during the Minneapolis Public Schools attack. (The 74)

Two of my Axios colleagues released books today! What an accomplishment 🎉.

• Chief financial correspondent Felix Salmon released "The Phoenix Economy: Work, Life, and Money in the New Not Normal," which covers the ramifications of the pandemic years.
• Crypto reporter Brady Dale released "SBF: How the FTX Bankruptcy Unwound Crypto's Very Bad Good Guy," which is the first book to hit the market covering the notorious FTX collapse.