 |
|
|
|||||
When the state of New York adopted a new whole-of-state approach to cybersecurity a few years ago, encompassing everything from transit to schools to power and water supplies, officials were still reeling from an attack that plunged part of Long Island into the paper-and-fax era of the 90s. Just before Christmas in 2021, a group of hackers, leveraging aging systems and outdated firewalls, quietly slipped into a computer in the Suffolk County clerk’s office and began spreading out across the network. It didnt help that, over the following months, local officials ignored multiple warningsincluding from the FBIthat something was amiss. When a ransomware attack eventually began months later, city services, including 911 operations, were knocked offline; some websites were out for months. Even though it didnt pay the ransomthe hackers, linked to the group AlphV/BlackCat, would lower their demand to $650,000the county eventually paid over $25 million to get its systems back up. The damage didn’t stop there either, with the data of residents and employees, such as Social Security numbers and drivers license numbers, still floating around the dark web. The next year, Gov. Kathy Hochul made moves to step up the states cyber posture, including boosting cyber spending and launching a statewide cyber strategy, an approach that unifies services and integrates local governments into its larger plan. As part of a 2023 regulatory overhaul, public and private entities across the state are now required to take specific measures to secure systems and to disclose cyber incidents and ransomware payments to the state. In 2022, Hochul also appointed the states first chief cyber officer, Colin Ahern, to lead cross-agency efforts to keep New York safe from attacks. Previously first deputy director of New York Citys Cyber Command and acting chief information security officer for the city, Ahern got his start in cybersecurity in the Army reserves. He retired as a company commander in the Army Cyber Brigade, where he oversaw the creation of a specialized cyberspace operations organization. Gov. Hochul named Colin Ahern New York’s first chief cyber officer in 2022 [Photo: Office of Governor Kathy Hochul] Given his resumé, Ahern is particularly attuned to the ways governments at all levels can collaborate around better cybersecurity. For years, New York and other states have relied on federal support in the form of information sharing and technical resources backed by the Cybersecurity and Infrastructure Agency (CISA), as well as millions in cyber funds. A four-year, $1 billion federal grant program that launched in 2022 has proved especially helpful for cash-strapped localities, where IT resources are stretched thin, technology is be out-of-date, and security practices may be minimal. Still, states need more help: Nearly two in five state-level CISOs say they are not getting the support they need to keep threats at bay, according to a Deloitte survey last fall. And that number could rise: at CISA, recent budget cuts have decimated technical services states rely on, and put those federal funds at risk. Fast Company spoke with Ahern about the impact of the federal cuts on states, the role that Washington can and should play in state-level cybersecurity, and the AI-backed threats that keep him up at night. This interview has been edited for clarity. There are big questions now about how cuts in Washington are impacting cybersecurity at the state and local level. But before all that: what does the threat landscape look like right now? The threat landscape continues to deteriorate really across two axes. Number one: we see a significant convergence, really accelerating in the last three or four years, that collapses the distinction between different threat actors. There are the advanced persistent threat actors [APTs], aka nation-state actors, like those interested in espionagelike the so-called Salt Typhoon hacks allegedly perpetrated by the Chinese Ministry of State Security against the telecommunications industryor military-focused preparations for cyber warfare. That includes Volt Typhoon, the alleged penetration by the People’s Liberation Army of China into our critical infrastructure, including water and power and other things. The third category has always been financially motivated cybercrime of varying degrees of sophistication. On the low end, script kiddies, hacktivists, individuals. And on the high end, the increasingly accelerated professionalization of the cybercrime industry, magnified by a couple of things. Most principally, the ability to rapidly monetize the access to these systems via ransomware, and then extract value from those compromises in the form of a double extortion. And the whole ransomware ecosystem. Right now, what we’ve seen is this convergence, a collapse from these three distinct groups, with their three distinct capabilities and three distinct target sets and three distinct motivations. We’re now seeing a collapse into everything and all of the above. You’re seeing Russian state-affiliated actors, astroturfing or moonlighting as ransomware operators. You’re seeing an increasingly blurred distinction between espionage and cyber warfare, like Salt Typhoon and Volt Typhoon. And then you’re seeing the capabilities resident in these three different threat actor groups really not become that distinct at all. And that’s not because everyone’s getting worse. That’s actually because everyone’s getting better. And on top of that, everyone’s getting better at the same time as increasing government digitization, post-COVID consumer expectations, and other things. People have more and more technology systems, and they expect more and more of them. And that increases the threat surface. So the convergence along these two axes really means that everyone really has to raise their game. How has New York State’s upped its ame in recent years? I think New York State has a very important and powerful story to tell. In August of ’23, the governor released the state’s first ever whole-of-state cybersecurity strategy, and it really laid out a vision for making the state more unified by increasing access to cybersecurity tools and services, and making us more resilient by continuing to invest in critical infrastructureespecially lifeline critical infrastructureboth from a capital, grant perspective, but also in minimum standards that the state can promulgate. There’s also a focus on preparation, because we can either succeed together or we can fail separately. We’re in the final stages of our budget, and we have several legislative and financial enhancements to the state cyber posture that the governor has made since she got into office. For example, she’s doubled the size of the Cyber Analysis Unit, the Computer Crimes Unit, and the Internet Crimes Against Children’s Center at the New York State Police. She’s invested tens of millions of dollars in shared services for local governments. Her shared services program covers nearly 100,000 government computers in 55 counties in more than 30 cities, villages, towns, police departments and sheriff’s offices across the state. So the governor has, I think, an extremely impressive record of delivering efficient, scalable, value-added services to local governments and county governments especially, who are under-resourced to say the least. Are there things that are really keeping you up at night now, in terms of types of attacks and types of targets? I have two little kids, so a lot of stuff keeps us up at night but I would say artificial intelligence. We’ve really seen the ability of AI to rapidly enhance the capability of moderately sophisticated threat actors. A person who knows their way around Kali Linux, a person who knows what a git commit is, who now can, with the use of AI, really enhance their own capabilities. Say you have a situation in which you have a very popular open source package, then there’s a new path release for that open source package. Previously, to reverse engineer a security vulnerability from a recent software patch is both time consuming, tedious, error-prone and requires non-trivial expertise. So we’re not saying that Joe, Josephine, anybody could do this, but you take a person who kind of knows what they’re doing already and knows what they want: Now, with the aid of AI, they themselves can do work that used to take other very highly-skilled people days or even weeks. They now have the ability to rapidly reverse engineer software packagesin particular, open source packages where the source code is therefore widely known and inspectableand then rapidly extract the vulnerability, weaponize that vulnerability in the form of an exploit, and then use that. So AI is really reducing the flash-to-bang time of patch-to-exploit: Where it used to be seven days, 15 days, 30 days, now we’re seeing one day, two days, three days. And those were capabilities that only APTs used to have. Now you can go on Hacker News and find out how to do it. How would you describe the role of the federal government in the state’s cybersecurity? We think the state has been a good partner to the federal government. We have partnered closely. And it’s no secret that we’re watching with concern, like many, the cuts across federal agencies, the lack of confirmed leaders in key positions, and overall signs of that nature. In a circumstance where world events continue to conspire to make cyber increasingly relevant and important, states have tools. But states need the federal government to lead on coordination, unification, major incident response. And that’s not even to mention there’s things that only the federal government can do, be they offensive or interstate or other issues. Are there other things that you think the federal government is best positioned to do when it comes to cybersecurity? And what benefits to states are you most worried about losing? I actually led a bipartisan public comment at the end of the Biden administration on the CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act). This was actually legislation passed in Trump 1 about the required disclosure of cyber attacks. So we think that one of the things that only the feds can really do is this information sharing and operational collaboration. Our commentwhich was signed by South Carolina and Ohio and New Jersey and on and onreally talked about how states and the federal government need to not just share information, but collaborate, in order to resolve the impacts that we potentially see from devastating cyber attacks, especially those against critical infrastructure. Everyone’s talking about supply chains these days, but a damaging cyber attack could very well take a long time to replace if those systems need to actually be replaced. Many are confused about what the funding cuts in Washington will mean for state cybersecurity. I wonder what it looks like from your side: are people scrambling to try to figure out contingencies for the future? Are they scratching their heads? All the above. Good information can be difficult to come by, but we continue to engage with our federal partners and our elected representatives in both houses, in both parties. But we’ve made very clear publicly and otherwise to the administration that we have partnered with the federal government for decades on these issues, and we want and expect that to continue. And obviously we’ve been worried about some of the enormously concerning reporting we’ve seen out of Elon Musk’s DOGE about data. We want Republicans, we want Congress to exercise their oversight powers, like the governor has said on numerous occasions. Do you think that there are certain things that need to change in terms of how the federal government and the states think about cyber? Do you see reasons for optimism? I think there is some optimism. I would note that the two most significant advancements in the capabilities of the US governmentto coordinate defensive activity and even prosecute and hold our adversaries at riskhappened really under Trump’s first administration, with the creation of the Cybersecurity Infrastructure and Security Agency, and the significant expansion of their capabilities, resources, and appropriations. Then, I think there were some significant coordination advancements under Biden’s term, including the first national cyber director. So we’d like that forward momentum to increase and even increase in pace. But it remains to be seen how that’ll play out. One thing I would note is, there have been some recent bipartisan moves to take a hard look at how we’re organized in cyber. In December of last year, there was an amendment added to the National Defense Authorization Act talking about the need to study how the U.S. government and especially the Dept. of Defense is organized in cyber, a.k.a., The Cyber Forces study [to examine the viability of a new armed service]. It was actually watered down at the end of the Biden administration, but it remains in the law, and I think there’s wide acknowledgement that we need to take a look at how we’re organizing. And that amendment had bipartisan support and multiple sponsors in both parties in Congress, so I think there’s some optimism on that front. Speaking of bipartisanship, how do you think about the political tint that’s shaded the conversation about cybersecurity? It’s unfortunate, because I think there’s wide acknowledgement that we need to essentially do two things at once, and do them even faster and better than before. On the one hand, we all need to collectively raise our game because the adversaries are continuing to raise theirs, and that means falling in love every single day with the basics: multi-factor authentication, patching systems, risk management, certain response plans, et cetera. And on the other hand, our adversaries are seeking to do bad things, and we need the capabilities, especially those that can only be resident in the federal government, to deter them in cyberspace. And we should be very clear about what we find not acceptable: attacks against critical infrastructure, hospitals and schools, et cetera. And we could be somewhat circumspect in the manner in which we will deter our adversaries. We wouldn’t wanna give ’em a playbook or anything like that, but certainly the use of economic tools, sanctions, some of the indictments that have come down from the Dept. of Justice, naming and shaming cyber actors, including Russians and Chinese ones, and obviously offensive cyberspace operations. We need all of those tools to be ready, willing, and able to be used in furthering our national interest. Where do you see the US’s interest in offensive capabilities, in more aggressive actions, fitting in alongside a defensive mindset? Retired Rear Admiral Mark Montgomery and I wrote a piece in the Washington Post talking about some recent reportingwhich was later denied in some fashion, ex post factoabout cessation of planning for Title 10 [offensive] Russian cyber operations. So we’re on the record as saying that we need an all-of-the-above approach, and we need to be planning. But in addition to that, I do think that the Trump administration has been very clear that they seek to hold our adversaries at risk, that they are interested in deterrence. They’ve made no secret of that, and I applaud that. It just seems reasonable that we can’t expect different results with the same capabilities, the same organizations, so time will tell. Senator Kristin Gillibrand from New York has been extremely influential on the issue of the Cyber Forces for many years. We’ve worked closely with her staff, and I’ve written publicly in support of her amendment [requiring the Pentagon to study the creation of a Cyber Force]. But like I said, it would be unfortunate for that to be caught up in the political maelstrom that it potentially could be. Trade wars tend to escalate cyber tensions too. How much of a concern are the White House’s tariffs from a cybersecurity perspective? I think a significant concern, and the governor has been extremely vocal and clear on the role of uncertainty and the importance of our trade partnerships, especially our partnerships with our NATO allies. New York is the gateway to Europe, as she said. But we also have an extremely close relationship with Canada. One thing I’d say on the tariff front isand the governor actually has met with the counsel general, and has discussed this ad nauseum publicly: we have important projects that deliver power from Canada, our close trading partner. One is called the Champlain Hudson Power Express. It brings hydro electric power north from Canada and south into New York. And I don’t know if you’ve heard of this thing called artificial intelligence, but it requires enormous amounts of power [laugh]. And for us to maintain our competitive edge, New York is actually in the process of building one of the largest semiconductor software foundries in the world: Micron Technologies, tens of billions of dollars of investment, tens of thousands of direct and indirect jobs. And so these tariffs: obviously the economic uncertainty, the impact to real people’s lives, bank accounts, is important. But for us to maintain an edge in cyber, AI and semiconductors, we need our trading partners. We need clean energy. And these are not issues that happen in silos or vacuums from each other.
Category:
E-Commerce
Apple could owe you part of a class action lawsuit settlement centered around the companys voice assistant, Siri. The settlement was reached in January, and Apple agreed to set aside $95 million to pay people who allegedly had their conversations or queries recorded after unintentionally activating Siri. Heres what you need to know about the settlement, key dates, and how to determine whether you can participate in the $95 million payout. What is the settlement about? Back in 2014, Apple added a Hey, Siri hotword command that, when spoken, automatically triggers Siri on a compatible Apple device to listen to what is being said. The feature was meant to be useful to users by allowing them to trigger the voice assistant without having to physically press or tap a button. But sometimes people could trigger Siri using the Hey, Siri voice command unintentionally or accidentally. The lawsuit alleged that the resulting words or conversations Siri picked up after these unintended activations were then shared with third parties or advertisersand thus had their privacy violated. As with nearly every class action lawsuit that it settled, Apple denied any wrongdoing. As the iPhone maker told Fast Company in January, “Apple settled this case to avoid additional litigation so we can move forward from concerns about third-party grading that we already addressed in 2019. We use Siri data to improve Siri, and we are constantly developing technologies to make Siri even more private. Now, users who are included in the settlement can begin filing claims for their share of the $95 million. Who is included in the Siri settlement? Not everyone who owns an Apple device is included in the settlement. In order to be part of the settlement class, you must meet several requirements, according to the official settlement website. Those include: You must have owned or purchased a Siri-enabled iPhone, iPad, Apple Watch, MacBook, iMac, HomePod, iPod touch, or Apple TV. Those devices must have been owned or purchased between September 17, 2014 and December 31, 2024. You must reside in the United States and/or its territories. Your confidential or private communications must have been obtained by Apple and/or were shared with third parties as a result of an unintended Siri activation. How do I know if I am included in the settlement? People who are known to be included in the settlement will have received an email or postal communication saying they have been identified as a settlement member. However, if you have not received such communication but still believe that you may be a settlement member, you can contact the settlement administrator. How much can I get from the settlement? The amount you received from the $95 million settlement depends on various factors. Apple agreed to pay out $95 million to settle the class action suit, but some of that $95 million will go to pay for things like attorneys fees and other costs. Whatever is left over will be distributed to the settlement members on a pro rata basis. Claimants are allowed to submit claims for up to five devices. Payments per device will be capped at $20 each. That means that a claimant is most likely to receive no more than $100. However, note that the settlement website says that payment amounts could increase or decrease depending on the number of claims filed. The final payment amount per device will not be known until all claims are submitted. What should I do if I am part of the settlement? If you are part of the settlement, you should file a claim using the claim form on the settlement website. Keep in mind that you only have until July 2, 2025, to file a claim. Any claims are expected to be paid after the final court hearing in August 2025. Full details of the class action settlement can be found on the settlement website here.
Category:
E-Commerce
From his first moments on the balcony of St. Peter’s Basilica, Pope Leo XIV gave three important clues about what kind of leader of the 1.4-billion-member Catholic Church he will be. Leo, formerly U.S. Cardinal Robert Prevost, was elected by the world’s cardinals on Thursday as the new pope on the second day of the conclave to choose a successor to Pope Francis, who died last month. He is the first pope from the United States, but holds dual citizenship in Peru, where he was a missionary for decades before becoming a cardinal. Leo’s first clue was his choice of name. Popes often use this choice to send their first major signal about the priorities of their new papacy. Francis took his name from the 13th century St. Francis of Assisi, who rejected wealth and wanted to care for the poor. The last pope to take the name Leo, Leo XIII, focused much of his 1878-1903 papacy on advocating for the rights of workers, calling for fair pay, fair working conditions, and the right to join unions. “By picking the name Leo XIV, he shows he is committed to the social teaching of the church,” said Rev. Thomas Reese, a Jesuit commentator who follows the papacy closely. Leo’s second clue was his choice of language and the words he spoke, which put a clear emphasis on the need for peace, something Francis also often focused on. None of his speech to the crowds gathered in St. Peter’s Square was in English, but rather Italian, the language of the papacy, and a brief foray into Spanish to greet his former community in Peru. He did not mention the U.S. “La pace sia con tutti voi!” (Peace be with you!), Leo’s first words in public, echoed the ones Catholics use in their celebrations but also offered an immediate message of peace in a world riven with conflict. Before heading into the secret conclave on May 7, the world’s cardinals issued a statement lamenting the conflicts “in Ukraine, the Middle East, and many other parts of the world” and making a “heartfelt appeal” for peace. The new pope said he wanted to share God’s peace, calling it “a disarmed peace and a disarming peace” that is “humble and persevering.” Leo also mentioned Francis, who offered his last blessing to crowds in Rome on Easter Sunday, the day before he died of a stroke after battling double pneumonia for weeks. “We still have in our ears that weak, but always courageous voice of Pope Francis,” he said. Leo asked permission to offer the same blessing Francis used just a few weeks ago, saying: “God loves us, God loves everyone, and evil will not prevail. We are in the hands of God.” Leo’s third clue was in his choice of attire. Unlike Francis, who spurned all the trappings of the papacy including on the first day he was elected in 2013, Leo wore a traditional red papal garment over his white cassock. Although Leo follows in the tradition of Francis, he signalled he is a new, and different, pope. Joshua McElwee, Reuters
Category:
E-Commerce
All news |
||||||||||||||||||
|
||||||||||||||||||