December 06, 2022

Happy Tuesday! Welcome back to Codebook.

  • I'm all caught up on "The White Lotus" and am ready to hear all of your finale theories 👀.
  • 📬 Have thoughts, feedback or scoops to share? [email protected]

Today's newsletter is 1,104 words, a 4-minute read.

1 big thing: Throwing out the cyber job "alphabet soup"

Illustration: Sarah Grillo/Axios

Recruiters and employers are starting to warn applicants against getting too many cybersecurity training certifications, they tell Axios.

Why it matters: Cybersecurity training certifications aim to show specialized knowledge in everything from securing enterprise networks to the basics of responding to a cyber incident. And entry-level candidates can be swayed into getting as many as possible to appear more employable.

  • But those trainings are costly, and many managers don't see any value in having "an alphabet soup" of credentials.

The big picture: The U.S. currently has more than 769,000 open cybersecurity jobs, with only enough candidates to fill 68% of those roles, according to nonprofit CyberSeek.

  • This has led to more students pursuing cybersecurity degrees and midcareer professionals transitioning to the field.

Between the lines: Hiring managers prefer to hire entry-level candidates based on their experience and the initiative they've taken to learn more about cybersecurity, says Renee Small, a recruiter at Cyber Human Capital.

  • Dray Agha, a cybersecurity manager at Huntress, tells Axios that when conducting interviews, he always focuses on the underlying career goals applicants have, rather than "the alphabet soup" that's on their resumes.
  • "You only really need to get a certification when you're specializing, and that's something I think as an industry we've forgotten," Agha says.

By the numbers: 64% of cyber professionals see acquiring a new certification as a way of deepening their skills, rather than as a requirement to land a job, according to a survey released in October by certification vendor (ISC)².

  • Yet 55% said their organizations require employees to have a vendor-neutral cybersecurity certification, which focuses on foundational security topics; 38% said they need a vendor-specific certification.

Yes, but: Many employers consider security certifications a great equalizer among candidates since they establish a baseline knowledge and know-how in the field, Clar Rosso, chief executive officer of (ISC)², tells Axios.

  • (ISC)², which just established an early-career certification this year, updates its programs every three years based on conversations with employers, practitioners and others in the industry, Rosso says.
  • Most government contractors also require that cyber candidates have at least one certification, like CompTIA Security+, Small says.

The intrigue: A pathway still exists for midcareer candidates who don't have a degree in cyber or lack the resources to pursue a certification: Learn it yourself.

  • Small, who also hosts the podcast "Breaking Into Cybersecurity," recommends those who currently work at large organizations can chat with their companies' security teams to see what they can do to learn necessary skills and help out. Doing so could help them net a job down the line, she says.
  • Agha notes that many of the best applicants are those who taught themselves how to conduct analysis of malware strains or write blogs about the various cyber topics they're interested in.
  • "Money is a huge factor in all of this," Agha says. "If you can afford to do these things, then you'll get the alphabet soup, and that says something we don't talk about."

What's next: The Office of the National Cyber Director is reviewing comments for the first U.S. cyber workforce strategy, which will likely touch on cyber education issues and early-career hiring.

2. Charted: Ransomware bullseye 🎯

Data: LookingGlass Cyber Solutions; Chart: Axios Visuals

Ransomware gangs were hyper-focused on organizations in the U.S. in the first half of 2022, according to a report released by LookingGlass Cyber Solutions on Monday.

Why it matters: The data underscores U.S. government officials' increasingly dire warnings about ransomware getting worse — despite officials' best efforts to squash the problem.

By the numbers: Ransomware gangs targeted 433 U.S. organizations between January and June this year, according to LookingGlass' report.

  • That's more than five times the total of companies hit during the same period in the U.K., the second-most targeted country.

Between the lines: It's more likely that the U.S. remains high on the list because it's one of the wealthiest countries in the world, the report argues.

  • Also, many ransomware gangs are based in Russia or other adversarial countries, making Western organizations likelier targets.
  • "Ultimately, the key point to understand is that countries with stronger economies tend to be — but are not necessarily — more highly targeted by ransomware gangs," the report says.

3. Four hackers indicted for stealing tax returns

Illustration: Aïda Amer/Axios

Officials unsealed indictments against four people accused of hacking U.S. businesses and using stolen personal data to file falsified tax returns with the IRS, federal officials said on Monday.

Driving the news: The U.S. Attorney’s Office for the Middle District of Florida unsealed indictments charging Akinola Taylor, Olayemi Adafin, Olakunle Oyebanjo and Kazeem Olanrewaju Runsewe with conspiracy to commit wire fraud, aggravated identity theft, theft of public money and filing false claims with the U.S. government.

  • The indictment claims Taylor and Runsewe hacked businesses to steal identifying information about U.S. citizens and used those details to file fraudulent tax return forms with the IRS.
  • Adafin and Oyebanjo are suspected of laundering stolen tax returns through prepaid debit cards and various bank accounts they had control over, per the indictment.

The big picture: The IRS' cyber crimes unit led the investigation into this case, adding to a growing list of cases the tax agency has cracked by following hackers' "digital breadcrumbs" on the dark web.

What's next: Two of the men were arrested in London, and the others in Sweden. All will be extradited to the U.S. to face charges.

  • If convicted, each faces a maximum of 20 years in prison just for wire fraud.

4. Catch up quick

@ D.C.

🇷🇺 Microsoft warned that Russia is likely to increase its digital assaults on Ukraine and NATO allies, including the U.S., during the winter. (Microsoft)

🪖 The war in Ukraine weighed heavily over NATO's annual cyberattack simulation exercise last week. (Politico)

🏡 Homeland Security Secretary Alejandro Mayorkas said in a speech Monday that increasing cyberattacks have brought the national security threat "directly to our communities." (CyberScoop)

@ Industry

🇷🇺 A look at how virtual private network provider Proton is fighting Moscow's ban on its services. (New York Times)

@ Hackers and hacks

💸 The Secret Service estimates hackers linked to the Chinese government stole at least $20 million from U.S. COVID relief benefit programs. (NBC News)

🩺 CommonSpirit Health confirmed hackers had access to its networks and patient data for at least a week before deploying ransomware. (SC Media)

🏥 A teaching hospital in France had to transfer some patients to other health care facilities after a ransomware attack. (BleepingComputer)

5. 1 fun thing

Screenshot: @Maxwsmeets/Twitter

ChatGPT, the new OpenAI chatbot that everyone's been trying out over the last week, is now tackling cybersecurity policy ... and it's not too bad.

☀️ See y'all on Friday!

Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.