Axios Codebook

August 04, 2023
π TGIF, everyone. Welcome back to Codebook.
- πͺ© Today's newsletter was written while I studied BeyoncΓ©'s Renaissance set list before heading to one of her D.C. shows this weekend. It really is a blockbuster summer concert season.
- π¬ Have thoughts, feedback or scoops to share? [email protected].
Today's newsletter is 1,562 words, a 6-minute read.
1 big thing: A master plan for college-based cybersecurity clinics
Illustration: Natalie Peeples/Axios
Google is taking the first step in its master plan to pop up more student-run cybersecurity consultancies across the U.S.
Driving the news: Google is awarding a $2.1 million, three-year grant to the University of California, Berkeley to help build out and bring on new members to the Consortium of Cybersecurity Clinics β of which the university is the de facto chair.
- The funding, exclusively shared with Axios, is the first award from Google's $20 million investment pool announced last month to build and expand university-based cybersecurity clinics.
- UC Berkeley's Center for Long-Term Cybersecurity, which pioneered the creation of this kind of cybersecurity clinic, will use the funds to start developing open-source education materials to share with new clinics, host information sessions, and support its staff so they can work on the project full time.
The big picture: Cybersecurity clinics are akin to law school legal clinics where students enroll in a practicum course to provide hands-on cybersecurity work for local organizations at a low cost or free of charge.
- The program is a win-win: More students are exposed to an industry that desperately needs more workers, while local businesses that can't afford cybersecurity help get the assistance they need to stop hackers.
What they're saying: "Clients of clinics are K-12 districts or schools and local hospitals and small critical infrastructure providers, so we see it as part of public interest cybersecurity here with our program," Ann Cleaveland, executive director of the Berkeley center, told Axios.
Details: The new $2.1 million award will help UC Berkeley and the Consortium of Cybersecurity Clinics assist other universities and colleges that are interested in creating their own clinics.
- Google plans to fund 20 cybersecurity clinics through its program β both through setting up brand-new programs and helping to expand existing ones.
- Applications for Google's additional funds don't open until October, but UC Berkeley will start immediately building awareness and fielding questions from prospective schools about the program, Sarah Powazek, program director for public interest cybersecurity at the Berkeley center, told Axios.
- The team at UC Berkeley will also focus on talking to smaller colleges and minority-serving institutions to make sure the funds aren't going only to top-tier research universities, Cleaveland said.
Between the lines: Standing up a cybersecurity clinic typically takes around nine months, Powazek said, but that timetable can be sped up if clinics share their resources with one another.
- Berkeley's cyber clinic recommends new institutions start by finding a faculty champion to spearhead the program; partnering with other schools within their university, such as the business school, to attract more students; and working with local partners to find clientele.
Zoom out: The new funding comes as the Biden administration jumpstarts its own initiative to close the country's cybersecurity workforce gap.
- Earlier this week, the administration released a first-of-its-kind cybersecurity workforce and education strategy. As part of the strategy, the National Security Agency dedicated grant funding to stand up four new cybersecurity clinics.
- "The cyber workforce strategy that just came out is a huge endorsement of these hands-on, local models," Powazek said. "It's the idea of community security versus national security. It's a different set of organizations that you're focused on."
What's next: The Center for Long-term Cybersecurity and Google are hosting monthly information sessions through October for prospective applicants.
- The next workshop takes place Aug. 30.
2. More fallout from Microsoft government breach
Illustration: Sarah Grillo/Axios
The fallout from the recent Microsoft-related breach of government email accounts continues this week on Capitol Hill, even as lawmakers retreat from Washington for the August recess.
Driving the news: A new congressional committee is probing the incident, and a Microsoft competitor publicly criticized the company's cybersecurity practices β underscoring how much the July email breaches have reverberated across both Silicon Valley and Washington.
- The House Oversight Committee sent letters to Commerce Secretary Gina Raimondo and Secretary of State Antony Blinken earlier this week requesting a staff briefing on the incident before Aug. 9. Chinese hackers are suspected of hacking Raimondo's and other State Department officials' email accounts.
Catch up quick: Last month, Microsoft disclosed that a China-based hacking group had gained access to email accounts belonging to several government agencies.
- Last week, Sen. Ron Wyden (D-Ore.) also called on the Justice Department, the Federal Trade Commission and the Cybersecurity and Infrastructure Security Agency to probe Microsoft's "negligent" cybersecurity practices.
Between the lines: Questions still remain over how hackers obtained a signing key that gave them access to these Microsoft email accounts.
The intrigue: Microsoft competitors have now started jumping in on the discussion to call out their disgruntlement with the tech giant's cybersecurity practices.
- Tenable CEO Amit Yoran published a LinkedIn post Wednesday that harshly criticized Microsoft for failing to patch a critical vulnerability that one of Tenable's researchers uncovered.
- "Microsoft's lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about," Yoran wrote.
The other side: A Microsoft spokesperson told Axios in response to the House Oversight letters that the company is continuing to "work directly with government agencies on this issue."
- In response to Yoran's comments, the spokesperson said that the company appreciates collaboration across the security community and that Microsoft follows an "extensive process" to fix vulnerabilities.
Of note: Microsoft also disclosed a second suspected cyber espionage campaign Wednesday that appears to have targeted government organizations.
- In the new campaign, a Russian hacking group is believed to have sent highly targeted phishing lures that looked like Microsoft Teams chats to people associated with 40 different organizations.
- Those organizations are in the government, NGO, IT services, technology, discrete manufacturing and media sectors, Microsoft found.
3. HackerOne lays off 12% of workforce
Illustration: Shoshana Gordon/Axios
Popular bug bounty program HackerOne is laying off 12% of its workforce, CEO MΓ₯rten Mickos told employees earlier this week.
Why it matters: Unlike in the broader tech sector, layoffs in the cybersecurity industry have been rare this year.
What they're saying: "We did not anticipate the degree to which the overall economic situation is affecting us, with smaller companies running out of money and larger ones taking longer to make purchasing decisions," Mickos wrote in an email Wednesday, which was later published on HackerOne's website.
- "The new products we brought to market didn't perform the way we wanted them to," he added. "Our bets on hiring and new products proved to be too big, and we must now restructure our teams to be successful in the future."
The big picture: HackerOne is known for operating bug bounty programs β where ethical hackers report the software bugs they find to companies β for major corporations and government agencies, including the Department of Defense, Microsoft and Google.
Details: Employees in the U.S. and Canada were affected this week, and HackerOne expects the layoffs will soon affect some employees in the U.K., the Netherlands and other countries, Mickos said.
- HackerOne has more than 450 employees.
- Mickos told employees the company is planning to offer severance packages that include cash and noncash compensation.
- These layoffs should be "a one-time event," Mickos added. "We don't claim to have perfect visibility into our future financial performance or the macroeconomic climate, but we unequivocally wanted to take a single action and move forward with confidence," he wrote.
Zoom out: HackerOne is among a small group of cybersecurity companies that appear to have undergone layoffs this year.
- Cybersecurity firm Bishop Fox laid off 13% of its workforce in May, while Sophos laid off about 10% of its employees at the beginning of the year.
4. Catch up quick
@ D.C.
π The White House is convening educators, education technology vendors and interagency cyber partners for a K-12 school cybersecurity summit Monday. (Axios)
βοΈ The Federal Communications Commission issued a record $300 million fine against a robocall operation that focused on auto warranty scams. (Ars Technica)
π³ The biggest threat to a "smooth and secure" 2024 election is the turnover of state and local election supervisors in recent years, a former top election security official warned. (The Messenger)
@ Industry
ποΈ Sam Altman's iris-scanning Worldcoin project seems to be attracting less-wealthy people, including college students, truck drivers and artists, who just want the $50 sign-up bonus. (Rest of World)
π² Major chipmaker TSMC has no plans to leave Taiwan anytime soon, its company chairman says. (New York Times)
π Google is rolling out new search tools that allow users to remove their personal information from results. (Engadget)
@ Hackers and hacks
πͺ A New York man who submitted a guilty plea for laundering cryptocurrency stolen during the 2016 Bitfinex hack said he also was the one who hacked the exchange. (CNBC)
π The Cult of the Dead Cow hacking group plans to release a new coding framework for app developers looking to encrypt their programs and stop harvesting user data. (Washington Post)
π« Many of the most exploited security vulnerabilities in 2022 were also popular among hackers in 2021 and 2020 β suggesting organizations aren't patching their networks properly. (CyberScoop)
5. 1 fun thing
Screenshot: @ONCD/X
The cyber world β like the feds (as seen above) β is getting ready to head to Las Vegas next week for the Black Hat and DEF CON cybersecurity conferences.
- This is my first year attending (it's been a long time coming) β if you have tips for securing my devices during it, I'm all ears!
- And if any Bravo fans are trying to go to Vanderpump Γ Paris ... also let me know π.
βοΈ See y'all on Tuesday!
Thanks to Scott Rosenberg for editing and Khalid Adad for copy editing this newsletter.
If you like Axios Codebook, spread the word.
Sign up for Axios Codebook

Decode key cybersecurity news and insights. With Sam Sabin.



