Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Authentik.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Listen here

Valley of Death

A new report from the Atlantic Council suggests the US needs to strengthen its exploit development pipeline if it wants to remain competitive in cyberspace. 

That report, Crash (exploit) and burn, compares how the 0day supply chain approaches differ between China and the United States. 

The author interviewed security researchers, national security and intelligence officials, and senior leaders from offensive hacking and vulnerability research companies in the Five Eyes countries.

As a result, the portion that sketches out the US acquisition pipeline is excellent.  

Unsurprisingly, it says finding exploitable 0days is difficult and getting harder. When it comes to a government acquisition pipeline, the report identifies several factors that amplify this problem. 

Current government contracting practices favor large prime contractors and focus the procurement of very reliable exploits that can be used with very little risk of discovery. There's also a heavy compliance burden on contractors. The result is a very narrow acquisition funnel. Buyers end up with exquisite, but very expensive 0days.

The report also identifies gaps in US training pathways:

Moreover, few university programs produce engineers ready to write fully functioning exploits. Multiple vulnerability research firms interviewed referenced a "training valley of death," where entry-level engineers out of university still require a year or more of talent development before they can produce a marketable product. While some intermediate-level trainings exist in companies or at conferences, they are currently insufficient—in either technical depth or timeframe.

By contrast, the report says China has a:  

…comprehensive and deliberate feeder system from universities, cybersecurity conferences, and hacking competitions into the Chinese offensive cyber apparatus. Chinese military universities and high-end science and engineering schools produce high-caliber graduates in deeply applied offensive cybersecurity research, some of whom are encouraged to develop final projects that involve hacking into US companies. Many of them, upon graduating, either work on offensive teams of existing offensive security firms, found an offensive cyber start-up, or work directly for high-end teams in China’s Ministry of State Security (MSS) or People’s Liberation Army (PLA).

The section on China's acquisition pipelines is less insightful. It describes what Americans think about China's pipeline, rather than sourcing information directly from Chinese experts. That would be difficult in the current climate, we admit. 

Still, the report makes a compelling argument that America's 0day acquisition processes are no longer fit for purpose. American agencies need to make some serious changes to strengthen the 0day supply chain, like improving procurement processes and filling in the talent pipeline.

This Isn't the Cyber War We Were Promised

American cyber capabilities have been used to directly support military operations in Iran, but almost certainly in the most boring way possible.

At a Defense department briefing, Joint Chiefs of Staff Chairman General Dan Caine said that US Cyber Command (USCYBERCOM) had supported US bomber strikes against Iranian nuclear facilities. He didn't provide details of what that support consisted of, although DefenseScoop speculated on the possibilities. 

The most sensational of DefenseScoop's suggestions is that USCYBERCOM was monitoring Iranian air defense systems and was poised to disable them if incoming aircraft were detected. At the Pentagon briefing Caine said that "Iran's fighters did not fly and it appears that Iran's surface to air missile systems did not see us". 

We don't think that's what happened. Axios reported the Israeli Air Force took out multiple Iranian air defence systems in the days leading up to the bombing run. 

It is likely USCYBERCOM's contribution was a bit more mundane. DefenseScoop describes "something akin to a cyber escort package":

That includes backups and failsafes as well as ensuring the Department of Defense’s Information Network is up and running to enable communication. Defensive cyber protection teams would likely ensure infrastructure was up and running and protected from any adversary intrusions or disruptions. That could include teams supporting several combatant commands as well as those protecting the DOD Information Network and Transportation Command, headed by the DOD Cyber Defense Command.

Wow! That sounds as exciting as bus travel! 

We wonder what sort of offensive opportunities USCYBERCOM would even have on Iran's Internet at the moment. 

In the aftermath of recent Israeli-led cyberattacks, Iran's cyber security authority banned senior officials from using internet-connected devices and the government ordered a near total internet shutdown. 

Fatemeh Mohajerani, an Iranian government spokesperson, cited security as a justification for the shutdown. 

"Many of the enemy's drones are managed and controlled via the internet, and a large amount of information is exchanged this way … considering all these issues, we have decided to impose internet restrictions", Mohajeranni said. 

At time of writing, it appears full service has been restored after a total blackout that lasted about three days, with partial interruptions continuing for another four.

I guess that's one way to keep Cyber Command's options limited!

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. US goes after USD$225 million in scam cryptocurrency funds: The US Department of Justice announced it has filed a court action to seize the funds. The Department's complaint alleges the funds come from the theft and laundering of proceeds from cryptocurrency confidence scams and "were part of a sophisticated blockchain-based money laundering network that executed hundreds of thousands of transactions". 
2. Passkeys on Facebook: Meta has announced it is introducing passkeys for Facebook on mobile devices. The passkeys will eventually work on Messenger as well.   
3. Microsoft to remove legacy drivers: Microsoft has announced it will remove old drivers from the Windows Update system. The idea is to maintain coverage across the hardware used in the Windows ecosystem "while making sure that Microsoft Windows security posture is not compromised". 

Sponsor Section

In this Risky Bulletin sponsor interview, Fletcher Heisler, CEO of Authentik, talks to Tom Uren about the inflection points that make organisations consider rationalising their Identity Providers (IdPs). The pair also discuss sovereign tech stacks and how to earn the trust of customers.

Listen here

Authentik is an open-source identity provider that is also offered with paid enterprise features. In this demo, CEO Fletcher Heisler and CTO Jens Langhammer walk Risky Business host Patrick Gray through an overview and a demo of the technology.