Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

November 18, 2022

😎 TGIF, everyone. Welcome back to Codebook.

  • It was great seeing some of you at the Aspen Cyber Summit this week! Special shoutout to the person who audibly gasped when they saw me and raved about the newsletter — this edition is for you.
  • 📬 Have any thoughts, feedback or scoops to share? [email protected]

Today's newsletter is 1,424 words, a 5.5-minute read.

1 big thing: Decoding the government's dire ransomware warnings

Illustration of a group of computers featuring chalkboards with equations on them

Illustration: Sarah Grillo/Axios

Despite the government's best efforts, squashing ransomware still remains one of U.S. cyber officials' toughest tasks.

Driving the news: During public appearances at the Aspen Cyber Summit earlier this week, government officials gave a rare glimpse into just how difficult ransomware is to fight.

What they're saying: "We’ve only seen the problem continue to get worse, even with all of the efforts we’ve made," said Paul Abbate, deputy director of the FBI, during the summit.

  • "Ransomware continues to happen at unacceptable levels," said Rob Silvers, the Department of Homeland Security's under secretary for strategy, policy and plans, at the event.
  • "We see enough attempted intrusion, and successful intrusions, every day that we're not letting our guard down even a little bit," Silvers added.

The big picture: The U.S. government has thrown all of its resources at the ransomware problem since an attack forced the Colonial Pipeline to shut down last year. But that still isn't enough to deter ransomware criminals.

State of play: In recent months, most government officials have either focused their public remarks about ransomware on the work they're doing to fight ransomware or on the success those efforts have had.

  • For example, National Security Agency Cybersecurity Director Rob Joyce said in May that ransomware had gone down due to a recent round of sanctions.
  • The White House hosted a group of 36 other governments earlier this month to discuss their counter-ransomware efforts. During an hourslong closing session, most government leaders focused on the progress their countries have made, rather than the steep road ahead.

Between the lines: A growing number of high-profile attacks in recent months — including the September attack on the L.A. Unified School District and another attack last month on CommonSpirit Health — are playing into renewed public warnings.

  • The Treasury Department also reported earlier this month that suspected payments to ransomware gangs have skyrocketed, totaling a new high close to $1.2 billion in 2021.

Between the lines: Ransomware gangs are constantly reinventing themselves, changing targets and building new tools to better attack victims — creating an ever-moving target for regulators and companies.

  • Many ransomware gangs have started putting more of an emphasis on getting victims to pay to prevent data leaks, rather than for encryption keys that will help unlock any files the ransomware seized — changing how companies respond to attacks.

The intrigue: Foreign governments have also started deploying ransomware in their attacks against one another in recent years, underscoring just how pervasive the threat has become.

Yes, but: The U.S. government has still made tackling the problem a priority, even if it remains an uphill battle.

  • During the White House's ransomware summit, each participating government pledged to not harbor ransomware criminals and to dedicate more resources to detecting and responding to the threat.
  • Last week, federal investigators announced that they had seized more than $3 billion worth of cryptocurrencies in a case involving a dark web marketplace, underscoring the improvements made to capturing cybercriminals' payments.

What's next: Many of those existing efforts need more resources to build capacity so they can properly tackle ransomware.

  • "Scale is really the name of the game at this point," said Megan Stifel, chief strategy officer at the Institute for Security and Technology, during the Aspen event.

2. Exclusive: The token revamping data security

Illustration of a briefcase with a lock on it

Illustration: Sarah Grillo/Axios

Credit reporting agency TransUnion is testing a new token-based technology to prevent sensitive customer information from being shared whenever a third party requests a credit report, the vendor behind the tech first told Axios.

Why it matters: If adopted, the token could allow TransUnion to encrypt customers' sensitive data and limit its spread — adding another layer of security to the hordes of data the credit reporting agency collects on people.

Details: Spring Labs' new service, TrueZero, encrypts sensitive user information in tokens before it lands on a client's servers.

  • Once encrypted, the token ensures that "no third party is able to steal or see any of this sensitive data," says Spring Labs CEO John Sun.
  • In TransUnion's case, that could mean any vendor requesting someone's credit report should see only relevant information like payment history or collections information.
  • Sun tells Axios that "anything that's used universally as an identifier for that customer" is considered sensitive information, including Social Security numbers, dates of birth, phone numbers and email addresses.

The big picture: Financial institutions have been slowly but surely adopting tokenized technology to better secure customers' data in recent months.

  • Visa said in August that the company had issued more than 4 billion network tokens worldwide, surpassing the number of physical cards in circulation. The tokens replace the traditional 16-digit account number with an encrypted code.

What they're saying: "Obviously, there's always going to be entities that are going to need to collect information about you," Sun says. "But our goal is to make sure that that doesn't propagate throughout the ecosystem every time there's a question about your history or your credit or anything like that."

Between the lines: Credit reporting agencies have been at the center of several data breaches in recent years, underscoring the need for new security measures.

3. The World Cup's hidden audience

Illustration of a pattern of eyes looking around.

Illustration: Brendan Lynch/Axios

This year's FIFA World Cup in Qatar is gearing up to be a hot spot for governments spying on their adversaries, researchers and officials cautioned this week.

Driving the news: Cybersecurity firm Recorded Future released a report Thursday warning that state-sponsored hacking groups are likely to see the World Cup as "target-rich environment" for spying on foreign dignitaries and businesspeople.

  • European data protection regulators have been advising their constituents against downloading Qatar's World Cup apps due to surveillance and national security concerns.
  • German authorities said one of the apps "collects data on whether and with which number a telephone call is made," Politico reports.

The big picture: International sports event have become a hotbed for cyber espionage campaigns, putting governments on high alert for unwelcome surveillance.

  • The U.S. Olympic & Paralympic Committee advised Team USA to use burner phones while in Beijing for this year's Winter Olympics due to similar concerns, per the Wall Street Journal.

Between the lines: Recorded Future's researchers said digital spies tied to China and Iran are the most likely to carry out espionage campaigns targeting the tournament.

  • Iranian espionage groups have a history of spying on other Middle Eastern governments.

The intrigue: Russia is the likeliest nation to launch a disruptive attack against the World Cup as retaliation for FIFA's blanket ban on Russian soccer clubs from competitions after the invasion of Ukraine, according to the report.

Be smart: The report advises those attending the World Cup to use encrypted messaging apps, consider relying on a burner phone, and exercise caution when connecting to public WiFi networks.

4. Catch up quick

@ D.C.

🇮🇷 The Cybersecurity and Infrastructure Security Agency and the FBI said Iranian state-sponsored hackers had targeted a federal agency through the Log4j open-source vulnerability. (CISA)

🐦 A group of Senate Democrats asked the Federal Trade Commission to investigate potential security issues at Twitter since Elon Musk took control. (CyberScoop)

🏛 Two House committees alleged biometric ID verification company ID.me made "baseless claims" about the amount of COVID-19 unemployment fraud it had detected. (Gizmodo)

@ Industry

📊 The cyber insurance market is starting to show signs of cooling down following a year of rapidly rising premiums. (Wall Street Journal)

🔍 A look at how a Twitter mega-breach would unfold and what data would be tied up in it as staff reductions continue. (Wired)

👀 More than two dozen Meta employees and contractors have either been fired or disciplined for improperly accessing users' accounts. (Wall Street Journal)

@ Hackers and hacks

🐝 The FBI estimates the Hive ransomware gang has extorted roughly $100 million from more than 1,300 companies since June 2021. (BleepingComputer)

🎓 A Michigan school district had to cancel classes for several days earlier this week as it recovered from a ransomware attack. (USA Today)

5. 1 fun thing

Screenshot of a tweet

Screenshot: @SwiftOnSecurity/Twitter

This one is for all the fellow Swifties in the Codebook community: It's been a tough week wrestling with Ticketmaster. May I suggest following the @SwiftOnSecurity Twitter account for some relief?

☀️ See y'all on Tuesday!

Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.