Mediaboss Marketing

NSA leaders are fighting to persuade Congress to renew a controversial law that cuts red tape for intelligence agencies eavesdropping on foreign actors but which has also been improperly used hundreds of times to collect data on Americans.

So FISA Section 702 is up for renewal this year. And it is a vital source of intelligence. It is an authority that lets us do collection against a known foreign entity who chooses to use U.S. infrastructure, Rob Joyce, the National Security Agencys cybersecurity director, said Tuesday during a Center for Strategic and International Studies event. It makes sure that we don't afford the same protections to those foreign malicious actors who are on our infrastructure as we do the Americans who live here.

Section 702 of the Foreign Intelligence Surveillance Act, or FISA, gives the U.S. government the ability to digitally spy on foreign targets outside of the U.S. without a warrant. But civil-liberties groups have documented hundreds of times that U.S. citizens social-media interactions, phone calls, and emails have accidentally been gathered in 702-related surveillance. New America calls such violations inadvertent or unintentional yet extremely concerning because they reveal systemic problems that result from the scope and complexity of the Section 702 surveillance program. Even the court that oversees FISA cases has noted violations.

But supporters of the law describe it as integral to intelligence and law enforcement efforts. Section 702 is set to expire and is up for reauthorization this year with an expected debate to come. And NSA plans to advocate hard for keeping it, Joyce said.

I can't do cybersecurity at the scope and scale we do it today without that authority, and so we'll be working hard with Congress, with the administration, with our partners at FBI and others, DOJ, to figure out how we get 702 reauthorized. It's really vital.

New privacy laws, as well as privacy provisions in cybersecurity laws, are complicating things as well. The standards advanced in the European Unions five-year-old General Data Protection Regulation, or GDPR, have presented some roadblocks for intelligence agencies.

There were second-order effects that we didn'tI won't say we didn't appreciate, because there were people sounding the alarm. They were not fully considered in the weight of that, Joyce said.

For example, it became more difficult to force internet registries to disclose who owns a domain name.

The default was you couldn't know that thing. And so cybersecurity researchers all over the world lost the ability to follow connectivity between banned domains. So we've got to think about second-order reflections, Joyce said. There is a need for data privacy, but we've got to have rational connectivity to the rule of law processes that still makes cybersecurity effective.

TikTok and ChatGPT: our friendly AI overlords?

Joyce said the concern with TikTok isnt potentially exposing personal data of a subset of individuals but the possibility that the Chinese government could access every bit of metadata the platform gathers.

Do I think if I loaded TikTok on my phone, they're going to get to all the other sensitive things through that TikTok app tomorrow? Probably not. The cost of exposing to TikTok in that way to exploit one or a small set of users probably isn't worth it. But all the data, the metadata, that they do collect, that goes back to big servers, accessible to Chinathat's a problem, Joyce said.

TikTok CEO Shou Chew, who faced intense questioning from Congress last month, pledged that the app would remove U.S. users non-public data to servers that can only be accessed by U.S.-based employees. But the NSA cyber director said, echoing lawmakers' concerns, that even the algorithms pose a threat.

The idea that they own the algorithms that promote or suppress the content. That's a huge problem when you have millions upon millions of eyes consuming the content, and they can dial up something that is divisive, or they can dial down something that is threatening to the PRC. That's the advantage, he said.

ChatGPT, which holds some promise to improve daily operations in the Pentagon, also poses concern to cybersecurity, particularly when it comes to crafting more sophisticated phishing messages.

The technology's impressive. It is really sophisticated, Joyce said. Is it going to, in the next year, automate all of the attacks on organizations? Can you give it a piece of software and tell it to find all the zero-day exploits for it? No, but what it will do is it's going to optimize the workflow. It's going to really improve the ability for malicious actors who use those tools to be better or faster.

That includes phishing or fraud messages that read more like native English-language speakers.

And in the case of the malicious foreign actors, it will craft very believable native-language English text, that could be part of your phishing campaign or your interaction with a person or your ability to build a backstoryall the things that will allow you to do those activities or even malign influencethat's going to be a problem, Joyce said.

AI will also help certain hackers reach a new level, he said.

Is it going to replace hackers and be this super AI hacking? Certainly not in the near term, but it will make the hackers that use AI much more effective and they will operate better than those who don't, he said.

Read the original here:
NSA Pushes Eavesdropping Law, Hits TikTok, Braces for AI-Boosted Attacks - Defense One

WASHINGTON Generative artificial intelligence that fuels products like ChatGPT will embolden hackers and make email inboxes all the more tricky to navigate, according to the U.S. National Security Agency cybersecurity director.

While much-debated AI tools will not automate or elevate every digital assault, phishing scheme or hunt for software exploits, NSAs Rob Joyce said April 11, what it will do is optimize workflows and deception in an already fast-paced environment.

Is it going to replace hackers and be this super-AI hacking? Certainly not in the near term, Joyce said at an event hosted by the Center for Strategic and International Studies think tank. But it will make the hackers that use AI much more effective, and they will operate better than those who dont.

U.S. officials consider mastery of AI critical to long-term international competitiveness whether thats in defense, finance or another sector. At least 685 AI projects, including several tied to major weapons systems, were underway at the Pentagon as of early 2021.

With enough training, the technology can handle menial tasks, such as answering questions and digging up contact information, or augment military operations by parsing tides of incoming information and facilitating exploration of areas deemed too dangerous for troops.

Something as sophisticated as OpenAIs ChatGPT, Joyce said Tuesday, can be used to craft very believable native-language English text that can then be applied to phishing attacks or foreign influence campaigns. ChatGPT is capable of holding humanlike conversations with enough prompting, and it can provide content like poetry, essays or computer code within seconds.

Thats going to be a problem, Joyce said.

OpenAI CEO Sam Altman has acknowledged potential risks, telling ABC News in March that he worries about how these models could be used for large-scale disinformation and could be used for offensive cyberattacks. He also sought to explain its guardrails, meeting with lawmakers earlier this year to demystify the product.

ChatGPT logged more than 1 million users within a week of its late-2022 launch. The application is thought to be the fastest growing in history, outpacing TikTok and Instagram to 100 million active monthly users.

Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration namely Cold War cleanup and nuclear weapons development for a daily newspaper in South Carolina. Colin is also an award-winning photographer.

Read the rest here:
AI tools like ChatGPT likely to empower hacks, NSA cyber boss warns - C4ISRNET

Global, Networks / Cyber

WASHINGTON Russias invasion of Ukraine last year sent American tech firms scrambling to shore up their operations, especially those with workers in danger zones. But a Chinese invasion of Taiwan would have even more chaotic consequences for which businesses should start planning today, said the National Security Agencys director of cybersecurity, Rob Joyce.

We had a lot of companies who had to had to endure hard decisions and take rapid action at the time of the invasion in February 2022, Joyce said at the Center for Strategic & International Studies this morning. Often they had people in Ukraine that were now going to be in a war zone and they had to think about getting them out. They had Russian or Ukrainian sysadmins [systems administrators], and they had to think about what privileges they wanted them to have. They had network segments in Russia or Ukraine and they had to think about whether they severed that or firewalled that. They had to think about whether they just pulled all the way out of their Russian businesses and what the implications were.

Joyce said for all that complexity, a Chinese invasion of Taiwan would even worse, considering how [much] more intertwined Taiwan is with the global economy and how much more of a cyber threat China may pose compared to Russia.

Thats a really hard problem, he emphasized, and you dont want to be starting that planning the week before an invasion when youre starting to see the White House saying its coming. You want to be doing that now and buying down your risk and making those decisions in advance and its really hard, so tabletop it and see where your pain points are.

Ukraine is a major global supplier of grain and a throughway for Russian oil and gas, which continues to flow through pipelines to Europe right across the war zone, so the war had global economic impacts, including potential famines in poor countries. Ukraine is also a significant source of cyber crime, much of it historically aligned with Russia, so conflicts between formerly friendly Russian and Ukrainian hackers have disrupted the criminal world.

But Taiwan is the global hub of semiconductor manufacturer, producing 60 percent of all chips and 90 percent of the most advanced ones, with a GDP three times larger than Ukraines. And unlike Ukraine, Taiwans an island, with no neighbors to drive or take the train to when companies need to evacuate people and assets. Any movement on or off Taiwan would have to pass through disputed waters where Chinese forces can attack, while anything leaving Ukrainian territory headed west has legal sanctuary as soon as it crosses the land border.

And China is a much bigger country than Russia, with more GDP and more technical talent to deploy. The threat of China is capacity and resources, Joyce said. Were used to kind of a narrative of this unsophisticated, loud threat and yes, there is an enormous amount of unsophisticated, loud Chinese threat. But there are also elite units that have tools and tradecraft that [are] very sophisticated. Thats the concern, [if] theyre able to scale and use that elite set of concepts and tools at a much bigger pace.

Despite the differences, Joyce said theres a lot of lessons to learn from how the Ukrainians protected themselves that apply to other scenarios, including US firms operating on Taiwan.

They were very resilient. How did they get that? They got there because they practiced for years, he said. Theyve gotten to the point where, you know, the Ukrainian sysadmins knew they had to have backups, and when they got a [data destroying] wiper virus they shrugged their shoulders, they cleaned the machine, they reloaded from backup and they moved on.

Whats more, he said, around the invasion they got an uplift from the US government providing resources, but [also] a lot of pro bono industry support, to make them much harder targets. One of the most important cyber-maneuvers: moving activity off of data centers physically on Ukrainian territory to cloud servers in the West. So instead of being on servers amidst the war zone, with a handful of Ukrainian systems administrators struggling with power outages, bombardments, and even potential takeover by Russian troops, Ukrainian networks increasingly ran off servers in sanctuary, on Western territory with vast teams of Western government and industry cyber defenders.

You now went from two people who were maintaining and operating those servers to teams of hundreds or thousands, Joyce said. Whats more, he said, those centralized Western cloud providers were easy points of contact for the NSA and other government backup support that could never have found its way to all the individual small operations previously scattered across Ukraine.

I wasnt going to find those two server admins in in Ukraine and be able to help them directly like that, he said.

See the original post here:
US tech firms should wargame response if China invades Taiwan, warns NSA cybersecurity chief - Breaking Defense

For more than 60 years, the National Security Agency was the employer of choice for the countrys top cyber and tech talent. Even the Edward Snowden scandal in 2013 did little to mar the agencys ability to hire and keep talent. In 2015, then-Director Mike Rogers could rightly boast about his agencys under-2 percent voluntary attrition rate, better than its government and industry peers.

But by 2016, reports of a brain drain were emerging from the halls of Fort Meade. Competition with Big Tech for talent had intensified. Internal discontent over organizational tumult, bureaucratic inertia, and lagging innovation pushed the attrition rate past 6 percent. One cybersecurity executive was reportedly stunned by the caliber of would-be recruits leaving government service. Two years later, attrition had risen to 8 percenteven 9 percent for technical personnelin what was described as an attritional epidemic.

This year, the agency more comfortable operating in the shadows launched one of its largest hiring surges in 30 years to confront its talent shortage. The public campaign even includes job postings on LinkedIn (where most employees dont have accounts). NSA also awarded defense giant CACI International $2.4 billion to augment the ranks of NSAs analysts.

A retention problem at NSA is a prima facie cause for national-security concern. But theres a silver lining in the trends driving this exodus: they are the down payment on a stronger, more diverse, and more resilient cybersecurity ecosystem.

First, the talent exodus from NSA to the private sector reflects a development long sought by agency leaders: companies are at last ready and willing to take more responsibility for cyber defense. Those leaders have for years called upon companies to bolster their cyberdefenses and share more cybersecurity information because as much as 85 percent of critical cyber infrastructure just as important to national security is privately owned and operated, and therefore outside NSAs purview. (Amazon Web Services going down, for example, would hurt the American economy more than a temporary NSANet outage.)

Now it is happening. If cybersecurity is a team sport as current NSA Director Gen. Paul Nakasone likes to say, then the private sector has muscled its way off the bench and into the starting lineup. Recall that FireEye alerted the NSA, and not the reverse, about the 2020 Solar Winds hack, one of the most sophisticated cyber attacks ever.

Second, the movement of cyber talent between NSA and the private sector facilitates the necessary cross-pollination of knowledge, expertise, and perspective that improves collective defense. Cyber threats to the public and private sectors have converged, and hackers in Beijing and Moscow no longer reserve their most complex tools for government networks. NSAs growing cadre of cyberwarriors have a deep understanding of malign cyber actors tradecraft, tools, and capabilities, but are less knowledgeable about U.S-based activity. Private industry monitors a larger virtual attack surface area, including domestic networks, and is quicker to share information about threats, respond to incidents, and manage crises. With a healthier appreciation for each others capabilities, priorities, and ways of working, both NSA and the private sector can foster organizational trust and forge a more constructive relationship.

Third, the high demand for former NSA employees increases the agencys attractiveness as an employer. People may be more likely to apply to NSA if they believed a stint at the agency would boost their career, not sentence them to a 30-year stint in government. (Look at how students flood top consulting firms and investment banks with resumes, partly attracted by the impressive career doors that open to them when they depart.) Today, the breadth and diversity of exit opportunities for both technical and non-technical NSAers is rich. Ex-agency employees populate the threat intelligence teams at Fortune 500 companies. As startup founders, they raised over $300 million in venture capital in 2021 and more than $1 billion since 2013, according to Pitchbook data. They serve in senior White House positions.

So what should the NSA do?

First, NSA leaders must reimagine the agencys role within the broader cybersecurity ecosystem; its no longer the only game in town. One inspiration could be Unit 8200, NSAs Israeli counterpart. Most of Unit 8200s worker-bees leave the service when their conscription ends, then go on to work at, run, and start some of the worlds leading cyber companies (think Palo Alto Networks and NSO).

Second, NSA should use former employees as unofficial ambassadors for the agency and its mission to the rest of the cybersphere. They have worked on both sides of the fenceline and can build bridges between the startup world, private sector, and the powerful government science and technology workforce. They understand the agencys DNA, but have a cross-ecosystem perspective. To be sure, NSA senior leaders have made outreach to former employees a priority. Forums like an NSA Alumni Board could institutionalize alumni engagement.

The cybersecurity paradigm has changed. A Crowdstrike analysts work can inform the strategic thinking of the president of the United States. Developers at Meta disrupt Russian botnets. But neither can legally burrow into the internal networks of malign cybers actors for doctrinal insights. The talent transfer has tremendous implications, both positive and negative, for Americas cyberdefense posture. A secure future in cyberspace will emerge not from siloed and competing centers of excellence, but from the fusion of public and private sector collaboration. Its important we get it right.

Evan Rosenfield spent almost a decade in the U.S. intelligence community, serving in various operational, analytical, and policy positions in counterterrorism and cybersecurity.

Link:
The NSA's Brain Drain Has a Silver Lining - Defense One

One of the most sweeping surveillance statutes ever enacted by Congress is set to expire at the end of this year creating an important opportunity to rein in Americas sprawling surveillance state.

Section 702 of the Foreign Intelligence Surveillance Act permits the U.S. government to engage in mass, warrantless surveillance of Americans international communications, including phone calls, texts, emails, social media messages, and web browsing. The government claims to be pursuing vaguely defined foreign intelligence targets, but its targets need not be spies, terrorists, or criminals. They can be virtually any foreigner abroad: journalists, academic researchers, scientists, or businesspeople. And in the course of this surveillance, the government casts a wide net that ensnares the communications of ordinary Americans on a massive scale in violation of our constitutional rights.

American Civil Liberties Union

Stop Mass Warrantless Surveillance: End Section 702

Section 702 of the Foreign Intelligence Surveillance Act allows for blatant abuses of privacy. Tell your representative it must expire.

As Congress debates the reauthorization of Section 702, its vital that we tell our representatives in Congress that we want an end to warrantless mass surveillance. Heres what you need to know to follow the debate and speak up for your right to privacy.

1. The NSA uses Section 702 to conduct at least two large-scale surveillance programs.

The government conducts at least two kinds of surveillance under Section 702:

PRISM: The NSA obtains communications such as international messages, emails, and internet calls directly from U.S. tech and social media companies like Facebook, Google, Apple, and Microsoft. The government identifies non-U.S. person accounts it wishes to monitor, and then orders the company to disclose all communications and data to and from those accounts, including communications with U.S. persons.

Upstream: Working with companies like AT&T and Verizon, the NSA intercepts and copies Americans international internet communications in bulk as they flow into and out of the United States. The NSA then searches for key terms, such as email addresses or phone numbers, that are associated with its hundreds of thousands of foreign targets. Communications determined to be to and from those targets as well as those that happen to be bundled with them in transit are retained in NSA databases for further use and analysis.

Critically, while Section 702 does not allow the NSA to target Americans at the outset, vast quantities of our communications are still searched and amassed in government databases simply because we are in touch with people abroad. And this is the bait-and-switch: Although the law allows surveillance of foreigners abroad for foreign intelligence purposes, the FBI routinely exploit this rich source of our information by searching those databases to find and examine the communications of individual Americans for use in domestic investigations.

2. Section 702 surveillance is expanding.

The scale of Section 702 has been growing significantly over time, meaning more and more Americans are caught in this net.

When the government first began releasing statistics, after the Snowden revelations in 2013, it reported having 89,138 targets. By 2021, the government was targeting the communications of a staggering 232,432 individuals, groups, and organizations. Although the government often seeks to portray the surveillance as targeted and narrow, the reality is that it takes place on a massive scale.

Indeed, the government reported that in 2011, Section 702 surveillance resulted in the retention of more than 250 million internet communications (a number that does not reflect the far larger quantity of communications whose contents the NSA searched before discarding them). Given the rate at which the number of Section 702 targets is growing, its likely that the government today collects over a billion communications under Section 702 each year. But these statistics tell only part of the story. The government has never provided data on the number of Americans who are surveilled under PRISM and Upstream, a number that is surely also increasing. That is a glaring gap in its transparency reports.

3. Section 702 has morphed into a domestic surveillance tool.

Although Congress intended Section 702 to be used for counterterrorism purposes, its frequently used today to pursue domestic investigations of all kinds. Both the FBI and CIA have access to some of the raw data produced by this surveillance, and they increasingly use that access to examine the private communications of Americans they are investigating all without a warrant.

FBI agents routinely run searches looking for information about Americans as part of criminal investigations, including those that have nothing to do with national security. Based on the most recent reporting, agents conduct millions of these U.S. person queries also known as backdoor searches each year. The only limitation on backdoor searches is that they must be reasonably likely to retrieve foreign intelligence or evidence of a crime.

The standard for conducting backdoor searches is so low that, without any showing of suspicion, an FBI agent can type in an Americans name, email address, or phone number, and pull up whatever communications the FBIs Section 702 collection has vacuumed into its databases over the past five years. These searches are a free pass for accessing constitutionally protected communications that would otherwise be off-limits to the FBI, unless it got a warrant.

Evidence that agents have refused to comply with this low bar for conducting searches has piled up. Agents have violated the FBIs own rules over and over, accessing Americans private communications without any legitimate purpose. They have dipped into Section 702 data for information about relatives, potential witnesses and informants, journalists, political commentators, and government officials, including a member of Congress.

4. Section 702 violates our constitutional rights, but the courts have failed to intervene.

The Fourth Amendment guarantees the right to be free from unreasonable searches and seizures. Government agents are required to obtain a warrant to access our emails, online messages, and chats. Large-scale, warrantless surveillance of Americans private communications is at odds with this basic constitutional principle.

Section 702 also violates the Constitution by inhibiting freedom of speech and association. The reasonable fear that the U.S. government is spying on communications may deter journalists, lawyers, activists, and others from communicating freely on the Internet. We all have a right to exchange messages with our friends, family, colleagues, and clients abroad without worrying that the government is reading over our shoulder.

Because Section 702 is unconstitutional, the ACLU and others have attempted to challenge it in court. But the courts have failed to protect our constitutional rights. Instead, courts have repeatedly dismissed civil cases challenging Section 702 citing government claims of secrecy and have declined to rule on claims in criminal cases that the governments backdoor searches violate the Fourth Amendment. This year, we brought one of these cases to the Supreme Court, but it refused to consider it.

American Civil Liberties Union

U.S. Supreme Court Declines to Hear Wikimedia Foundations Challenge to NSA Mass Surveillance | American Civil Liberties Union

Wikimedia Foundation, ACLU, and Knight Institute Call on Congress to Limit the NSAs Surveillance of Internet Communications

5. Congress has the power to stop Section 702 surveillance.

Given the courts inaction, it is up to Congress to stand up for our rights. Fifteen years ago, Congress enacted Section 702. Members of Congress should not vote to renew this law without fundamental reforms to protect Americans privacy.

These reforms should include:

Beyond reforming Section 702 itself, Congress should also adopt broader safeguards that protect Americans in the face of bulk surveillance and strengthen court oversight when the government engages in spying for intelligence purposes.

Over the next year, the ACLU will be seizing on this moment to press Congress to reclaim our privacy rights. We invite you to join us by sending a message to your representatives now.

Follow this link:
Five Things to Know About NSA Mass Surveillance and the Coming Fight in Congress - ACLU