Axios

Ukraine's military intelligence agency warned Monday that Russia could soon ramp up its cyberattacks against both Ukraine and its allies.

Why it matters: U.S. officials have long warned that Russia's war in Ukraine could lead to either direct assaults on U.S. and other Ukrainian allies' critical infrastructure or a spillover attack that prompts worldwide chaos.

• A major concern has been a repeat of the 2017 NotPetya malware attack, where Russian malware intended solely for Ukrainian organizations ended up affecting at least 300 companies worldwide.

Details: The Defense Intelligence of Ukraine said it expects the Kremlin to "carry out massive cyberattacks" against critical infrastructure facilities in Ukraine and allied countries.

• These cyberattacks will be paired with increased "missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine," the agency said.
• Russia will also increase the intensity of the distributed denial-of-service (DDoS) attacks — which overwhelm a site with bot traffic to make it inaccessible — against organizations in Poland, the Baltic states and other allied countries.
• A spokesperson did not respond to questions about the intelligence that prompted this warning or when the attacks are expected.

Between the lines: Vague advisories like these usually indicate that intelligence agencies have seen new intel, even if they can't say what that is.

The big picture: Russian President Vladimir Putin mobilized an additional 300,000 reserve soldiers to fight in Ukraine last week.

• Victor Zhora, a senior Ukrainian cyber official, expressed concern that the mobilization could lead to escalated cyber aggression.
• In the seven months since Russian forces invaded Ukraine, low-level DDoS attacks have been the major definer of Russia's cyber strategy.

What they're saying: "With a few exceptions, we have not seen the scaled, serious attacks we expected even before the war began," says John Hultquist, vice president of intelligence analysis at Mandiant. "There is still significant room for Russia to escalate, especially with regard to Ukraine’s allies."

• A spokesperson for the White House National Security Council tells Axios that it will coordinate closely with NATO allies and the private sector to strengthen their ability to fight Russian attacks. “We’ve long said this is the Russian playbook," the spokesperson says.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Recent cybersecurity incidents at Uber and Twitter have called into question the FTC's effectiveness in forcing companies to take security seriously.

The big picture: The country's lead data security regulator is starting to get creative in order to grab the attention of a private sector that has increasingly flaunted government mandates.

How it works: When a company faces a major data breach or gets caught abusing its users’ privacy, the FTC is required by law to reach an agreement with the violating company — known as a consent decree — to upgrade its privacy and security practices.

• Historically, the agency has simply required companies to establish privacy and security programs and hire third-party auditors to assess the changes.
• If a company violates that decree, usually with another major security incident, the FTC then has the power to fine that company.

Driving the news: FTC Chair Lina Khan told the Senate Judiciary Committee last week that the agency is examining ways to prevent companies from "treating FTC orders as suggestions."

• Khan said future consent decrees could name individual executives responsible for following the decrees or enhance assessments of a company's security practices.
• In his complaint, Twitter whistleblower Peiter "Mudge" Zatko alleged the company didn't take its 2011 FTC consent decree seriously, which was reached after hackers sent tweets from nine accounts, including then-President-elect Barack Obama's.
• Uber faced a massive security breach earlier this month despite conducting audits and establishing a privacy program following its own 2018 FTC consent decree, after it failed to disclose a 2016 breach of drivers' and riders' data.

Catch up quick: The FTC has already started including tighter security requirements in consent decrees.

• The agency required online retailer CafePress in an agreement this year to upgrade its multifactor authentication methods, encrypt Social Security numbers and minimize data collection practices.
• Last year, the FTC required at least two companies to delete any algorithms that were built on inappropriately collected data.

The intrigue: Consumer protection and privacy advocates argue the FTC can make wider systemic changes, even with its limited powers and resources, experts tell Axios.

• The FTC could write its own rules establishing security standards for all companies in the absence of congressional action on federal privacy legislation.
• Khan's idea to start naming executives as responsible parties in consent decrees could force the C-suite to take FTC orders seriously, since they could face individual fines, says John Davisson, senior counsel at the Electronic Privacy Information Center.

Yes, but: Without proper resources from Congress, the agency could have a hard time making a lasting impact.

• Because consent decrees are negotiated with individual companies, they require a lot of work and time for the FTC to monitor.
• David Vladeck, head of the FTC’s consumer protection bureau from 2009 to 2012, tells Axios the part of the bureau who worked on privacy never had more than 40 employees, leaving them to get creative with their resources.
• "The FTC has been resource starved since 1980, and I was like a triage nurse," Vladeck tells Axios. "We would've brought a lot more cases, and we would have done a lot more enforcement of consent decrees, if we simply had the resources to do it."

What's next: Experts aren't ruling out the possibility that lawmakers will pass federal privacy legislation this year — which could set security standards for companies and give the FTC more powers to enforce them.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Editor’s note: This story has been corrected to state that it was the consumer protection bureau’s privacy department which never had more than 40 employees during Vladeck’s tenure, not the whole of the bureau.

The Guatemala-born founder of Duolingo, one of the biggest language education companies in the world, hopes his business can help more Latinos see themselves in tech and create a more inclusive industry.

Why it matters: Luis Von Ahn is one of few Latinos at the highest levels of a major U.S.-based corporation.

Facebook parent Meta announced on Tuesday that it had taken down two sprawling networks using fake social media accounts engaged in covert influence campaigns being run from China and Russia.

Why it matters: The Russian network was the "largest and most complex" of its kind that Meta has discovered since the start of Russia's invasion of Ukraine and the Chinese network was the first to target U.S. politics ahead of the midterms, according to a Meta press release.

Elon Musk knows that there's a good chance he'll lose his lawsuit against Twitter, thus requiring him to buy the social media company for $44 billion. But, were that to happen, don't expect him to crawl under a rock and lick his wounds.

• Instead, Musk will focus on disproving the doubters.

The NBA's newly refreshed free mobile app include new videos and other features that aim to increase its engagement with fans while not angering the companies that pay billions to broadcast live games.

Why it matters: The NBA (along with its content partner Turner Sports, a division of Warner Bros. Discovery) wants its app to build a stronger direct relationship with fans, but can’t afford to alienate ESPN and the regional sports networks.

Strike, the mobile payments app that facilitates instant transactions via blockchain, has raised another $80 million in fundraising in a show of Bitcoin maximalist strength.

Why it matters: Strike is making the cumbersome digital asset "go" by using the Lightning Network, a layer 2 that enables faster and cheaper transactions — that its CEO Jack Mallers thinks could eventually make the crypto world more accessible to normal people.

Steve Case, AOL's co-founder, is out today with "The Rise of the Rest" — a hardcover accompaniment to his longtime passion project spotlighting blooming startup hubs outside the coastal giants.

Why it matters: He backs up his beyond-the-Valley thesis with seed + early-stage investments from his Revolution investment firm.

TAIPEI, Taiwan — An infusion of cash from a Taiwanese semiconductor magnate is helping fund new cyber defense training for Taiwanese citizens.

Why it matters: The goal is to fight online disinformation and hybrid warfare that could accompany a potential Chinese military assault on the self-governed island democracy.

One of gaming’s most notorious recent releases, 2020’s Cyberpunk 2077, is making a comeback, aided by a popular new spinoff anime airing on Netflix.

Driving the news: Cyberpunk’s peak daily player count on PC gaming service Steam reached 136,724 on Sunday, more than 7x its daily high in August.

A surprise regulatory order last week signals Washington has run out of patience with decentralized finance's skirting of rules around tying customer identity to transactions.

Why it matters: The crypto industry has been, from its earliest days, a protest against the rules tying all financial transactions to real identities. Such rules became the norm after 9/11, but fans of bitcoin and subsequent technologies have been partly motivated by seeing how far they could push them.

The Federal Communications Commission approved a long-delayed proposal to crack down on spam texts Friday night after Axios asked agency members why it hadn't moved on the issue.

Why it matters: The number of spam text messages — which can include links or other tricks designed to steal money or personal information — has exploded, with the volume now exceeding that of robocalls.