September 12, 2023
Happy Tuesday! Welcome back to Codebook.
- 🏃🏻♀️ Shoutout to everyone else finding themselves running between all the meetings and events this week! Sure feels like summer's over.
- 📬 Have thoughts, feedback or scoops to share? [email protected].
Today's newsletter is 1,368 words, a 5-minute read.
1 big thing: A long-term plan to secure open-source software
Roughly 90 government officials and private sector executives are convening in Washington this week to draft a new, long-term plan for securing publicly available open-source code.
Why it matters: Most software contains at least some open-source code, but open-source project developers are typically volunteers who don't have the bandwidth to keep up with security upgrades.
- Many also don't keep detailed inventory lists of the software running in their products — meaning that whenever a critical security flaw is found in an open-source project, it can take years for companies to realize their products are affected.
Driving the news: The Open Source Security Foundation (OpenSSF) is hosting a two-day summit in Washington, D.C., starting today to discuss some of the security issues that still plague the open-source community.
- Government officials from the White House, the Defense Department, the Cybersecurity and Infrastructure Security Agency, the National Science Foundation and other offices will participate in the summit — alongside a range of companies, including Amazon, Apple, JPMorgan Chase & Co. and GitHub, a senior administration official told Axios.
Catch up quick: This week's summit builds on a set of White House meetings and tech sector initiatives last year in the wake of the widespread Log4j critical vulnerability.
- The White House hosted the first summit in January 2022 and had a follow-up meeting last May to discuss policy and private sector solutions.
- Tech companies pledged $30 million to fund a 10-point plan to better secure open-source software, such as establishing new OpenSSF courses to educate the open-source community and providing third-party code reviews for some of the most critical projects.
- Since May 2022, more than 20,000 developers have participated in OpenSSF's security education courses, the senior administration official told Axios.
What they're saying: "We set very aggressive goals last year, because the Log4j incident highlighted how much open source matters and how there were systemic issues with open source that needed to be addressed to improve security," Anne Neuberger, deputy national security adviser for cyber and emerging technologies, told Axios.
- "The administration knows that you can't just kick off an effort and expect everything to get done — you need to check in and continue to spark momentum and progress."
Details: Participants will start the summit today discussing the current state of open-source security and providing updates on the projects they launched last year, Omkhar Arasaratnam, general manager at OpenSSF, told Axios.
- Tomorrow, the summit will establish charters for a set of new task forces focused on various open-source security topics based on what's discussed today, he added.
- These task forces will operate inside OpenSSF throughout the year and will provide periodic updates to the White House. OpenSSF hopes to hold another summit next fall.
- By the end of tomorrow, summit participants will walk away with a new call to action and plans for future public-private initiatives.
The intrigue: The last set of open-source security initiatives happened before the current AI boom, and participants are likely to discuss the ways that AI could help identify the open-source tools inside companies' products, the senior administration official said.
- The Defense Advanced Research Projects Agency will discuss its new two-year cyber challenge for open-source AI security tools, for example.
What's next: Arasaratnam and the Biden administration are hoping to hear from anyone who works with open-source technologies — even if they weren't at the summit — about the best ways to protect these projects.
- "This is open source; you don't have to be a big bank or large government entity," Arasaratnam said. "There is an equal opportunity for members of the general public all the way up to large international corporations to get behind this."
2. MGM takes systems offline after cyberattack
MGM Resorts International said Monday that it was responding to a "cybersecurity issue" that prompted the company to take down some of its systems.
Why it matters: MGM operates hotels across the U.S., and news reports and social media posts suggest that guests are having issues getting back into their rooms and that some slot machines and ATMS are offline.
- MGM runs some of the most well-known Las Vegas hotel brands, including the Bellagio, Mandalay Bay and Excalibur.
What they're saying: "MGM Resorts recently identified a cybersecurity issue affecting some of the company's systems," the company wrote in an online post.
- "Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts."
Details: Alongside room keys and slot machines, the cyberattack has also taken down the websites for several MGM properties. Visitors are now being directed to a list of phone numbers for affected properties to call instead.
- The MGM Rewards App, where guests can access their digital room keys and trip information, was also offline Tuesday, Axios confirmed.
- MGM did not respond to an emailed request for comment, but the company shared in an update late Monday that its properties are "currently operational" and that "our guests remain able to access their hotel rooms and our front desk staff is ready to assist."
Between the lines: It remains unclear how long it will take MGM to bring its systems back online and how hackers were able to infiltrate the company's networks.
- It often can take days or weeks for companies to determine the full extent of a cyberattack on their networks.
Flashback: Hackers stole the personal data of 10.6 million MGM guests during a 2019 data breach.
3. Cars' "unmatched power" to spy on drivers
For millions of Americans, their car is their safe haven — a rare place to find some privacy between a busy home and an open-plan office.
- It's too bad, then, that automakers have little respect for our privacy, per a stunning new report from the Mozilla Foundation, Axios chief financial correspondent Felix Salmon writes.
Why it matters: Cars are now computers on wheels — which means they "have an unmatched power to watch, listen, and collect information about what you do and where you go," per the report. That information is then shared with or sold to data brokers, law enforcement, and others.
The big picture: Americans spend about 300 hours a year driving — plus many more hours when the car is repurposed as an office, a lunchroom, a phone booth or even a recording studio. The information about what we do during those hours can be extremely valuable.
Out of 25 car brands studied by the Mozilla Foundation:
- 56% will share data with law enforcement in response to an informal request.
- 84% share or sell personal data.
- 100% earned the foundation's "privacy not included" warning label.
Zoom in: The Nissan privacy notice says the company can share "sensitive personal information, including driver's license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information."
- It's not clear that Nissan has information on its drivers' genetics or sexual activity, but the notice is alarming all the same — especially since five other companies also say they can collect genetic "information" or "characteristics."
4. Catch up quick
🏛️ The U.S. Court of Appeals for the Fifth Circuit removed restrictions on CISA officials meeting with social media companies, noting the agency had not coerced the companies' content moderation decisions. (Washington Post)
🙅🏻♂️ The Biden administration rejected a congressional push to create a specific contingency plan for the U.S. economy in the event of a major cyberattack, according to a recently obtained CISA report. (The Messenger)
🇱🇹 The U.S. Cyber Command has wrapped up its second "hunt forward" mission in Lithuania to help detect vulnerabilities in the Lithuanian government's networks. (The Record)
🔐 CertifID, an identity protection startup, raised a $20 million funding round led by Arthur Ventures. (TechCrunch)
💳 Square says a domain name system issue, not a cyberattack, caused a widespread outage last week that affected online payments. (BleepingComputer)
@ Hackers and hacks
👾 Ransomware hackers are actively exploiting an unpatched zero-day vulnerability in two widely used Cisco security appliances. (Ars Technica)
🇮🇷 Iran-backed hackers have breached the computer systems of 32 Israeli companies, a company in the United Arab Emirates and another in Brazil, according to new research. (Haaretz)
5. 1 fun thing
Raise your hand if you've ever been personally victimized by the "evolving, sophisticated cyber landscape." 🙋🏻♀️
☀️ See y'all on Friday!
Thanks to Scott Rosenberg for editing and Khalid Adad for copy editing this newsletter.
If you like Axios Codebook, spread the word.