News: Scan your eye for free money

Monday, July 31, 2023

Scan your eye for free money

Jul 31, 2023

Driving the day

— WorldCoin is a new cryptocurrency from OpenAI’s Sam Altman with global ambitions. But to get in on the action, you’re going to have to give them some very unique biometric data.

HAPPY MONDAY, and welcome to Morning Cybersecurity! Who is going to Black Hat and then Def Con? John and I will be parachuting into Vegas in the next few days to report live and direct from the conferences. If you’re also in town, let’s meet over some coffee and embargoes.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below. Let’s dive in.

YOUR TICKET INSIDE THE GOLDEN STATE POLITICAL ARENA: California Playbook delivers the latest intel, buzzy scoops and exclusive coverage from Sacramento and Los Angeles to Silicon Valley and across the state. Don't miss out on the daily must-read for political aficionados and professionals with an outsized interest in California politics, policy and power. Subscribe today.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

CRYPTO CORNER

A REAL EYE CATCHER — Scan your iris to prove you’re a “real and unique” human and get free crypto. The pitch for the all-new WorldCoin — a digital currency launched within the last week from OpenAI CEO Sam Altman — asks users to visit a shiny spherical device called an “orb” for an eye scan in exchange for a “digital passport” and some digitized dough.

At the time of writing, there were more than 2.1 million “unique humans” in WorldCoin’s global network, with orbs in more than a dozen countries. But with something as existential and revolutionary as an iris scan, there is serious skepticism from AI and privacy experts who aren’t sure what a future society with stolen DNA credentials would possibly look like.

“Even if we can’t think of some clear pathways for exploitation today, it doesn’t mean that’s not going to happen,” said Jennifer King, privacy and data policy fellow at the Stanford University Institute for Human-Centered Artificial Intelligence. “It’s unlike having your name and address and Social Security number hacked – you can change almost all those things. But what are the risks if your DNA, something that uniquely identifies you, gets hacked?”

— And it’s not far away: Criminal hackers and foreign nation-states are actively targeting AI and other critical intellectual property in the U.S., a senior FBI official warned reporters in a recent briefing on the condition that he was granted anonymity.

— Speaking of hacks: The new venture claims to be rooted in AI and privacy-preserving, but Altman, like many others in the industry, understands that not much is impervious to hackers. OpenAI just this March was subject to a data leak — which included the visibility of payment-related information, causing AI-powered chatbot ChatGPT to be taken down while the bug was patched. Earlier this month, OpenAI joined a top few industry groups in a partnership with the White House to tackle governing AI — including committing to pony up an investment to protect AI models from cyberattacks.

— Incoming inquiries: U.K.’s data regulator told POLITICO “we note the launch of WorldCoin in the U.K. and will be making further enquiries.” France’s privacy watchdog told Reuters: "The legality of this collection seems questionable, as do the conditions for storing biometric data."

The Federal Trade Commission told MC “no comment,” while the State Department said “the voluntary commitments recently brokered by the White House, underscore three principles that must be fundamental to the future of AI – safety, security, and trust.” The White House did not respond to a request for comment.

With all the hubbub, MC tried to sign up for WorldCoin but there are no orbs in the D.C.-area. We did learn through the app that the company does ask users to back up their profile with a Google or email account though. We know what you’re thinking: What the heck happens with my scan?

According to WorldCoin’s site, your iris pattern is permanently deleted as soon as you sign up … that is, unless you opt in to its “data custody” feature. And in that case, your biometric data is sent via encrypted communication channels to its distributed secure data stores, and deleted off the all-seeing orb.

WorldCoin did not respond to a couple requests for comment about its data collection policies.

Cyber Warfare

MALWARE IN THE MILITARY — The Biden administration is actively searching for malicious computer code it suspects China has concealed in critical infrastructure networks connected to American military bases both in the United States and worldwide.

Unnamed U.S. officials and industry experts reportedly stumbled upon the malware lurking in networks controlling power grids, communication systems and water supplies, according to The New York Times. The fear is that Chinese hackers slipped in the code to mess with military operations if there is ever a conflict. Biden officials are now briefing members of Congress, some state governors and utility companies about the findings, the NYT reports.

Officials say the attacks happened before a May report found a Chinese malware strike on Guam, and the investigations revealed the malicious code is more widespread than they initially realized, going back at least a year.

— But … malware?: A joint report on the attack from CISA, the National Security Agency, the FBI and “Five Eyes” countries in May made no mention of malware. A Microsoft report from the same day also doesn’t mention malware, but does say the campaign had been active for over a year and that it would be difficult to kick the Chinese out.

— Tense cyber relations: China and the United States are finding themselves increasingly at odds, with the attack being revealed a week after POLITICO found that suspected Chinese hackers accessed the emails of U.S. Ambassador to China Nicholas Burns and Daniel Kritenbrink, the State Department’s assistant secretary of state for East Asia. Those cyberspies also broke into the emails of Commerce Department officials, likely accessing information ahead of Secretary of State Antony Blinken’s diplomatic trip to Beijing in mid-June.

— Back and forth: Chinese state media is also claiming an attack against the Wuhan Municipal Emergency Management Bureau last Wednesday was a “government-backed cyberattack” that “came from the U.S.”

In response, the State Department told MC: “We have no comment about the false allegations in question.”

At the Agencies

BLACK AND WHITE — A thin 3-2 SEC vote last Wednesday will start to lay the groundwork for a new policy requiring public companies to loop in investors within four days of a significant cyberattack. Despite widespread industry pushback since the policy was first drafted, one former SEC official tells MC it was always “very clear” the commissioners were going to vote the way they did.

“From the very beginning, the SEC was looking at this as black and white,” Era Anagnosti, former SEC acting assistant director of the office of finance, told MC. “And the topic of cyber is nothing but complex.”

Anagnosti said one of the biggest challenges corporate America — especially those new to cyber — will face is the ambiguous definition of a cyber incident that will have to be interpreted broadly and will lead to challenges in understanding and interpreting the rules.

Vulnerabilities

CYBER INSURANCE — It’s time to stop looking at your cyber insurance as a ransomware crime stopper, according to a new study that was part of a 12-month research program and published today.

The new report by the U.K. think tank Royal United Services Institute says cyber insurance — which is a policy that helps pay for financial losses in the event of an attack or a breach — is best meant to be considered as a safety net to protect losses in case of trouble, rather than as a full-on cybercrime fighter.

The RUSI report also found “no compelling evidence” that organizations with cyber insurance were more likely to pay ransom than those without it. According to the U.K. government’s 2023 cybersecurity breaches survey, 57 percent of businesses said they have a rule or policy to not pay out ransomware payments — meaning cyber insurance doesn’t seem to push organizations to shell out ransoms.

But instead of stopping ransom payments, RUSI advocates for interventions that would ultimately create more pathways for victims to avoid ransom payments.

— Silver lining: Cyber insurance is, however, playing a bigger role in making organizations more resilient against ransomware and other cyberthreats. The authors believe cyber insurance is one of the few market-based tools that encourage organizations to up their cybersecurity game.

But, the report also says cyber insurance should not be seen as a replacement for legislation and regulations to boost minimum cyber standards.

Tweet of the Day

“While Mr. Musk is hailed as a genius innovator, he alone can decide to shut down Starlink internet access for a customer or country …”

: https://twitter.com/davidfrum/status/1685608160097107968

Quick Bytes

ANDROID’S N-DAY PROBLEM — Google’s annual zero-day vulnerability report found that gaps between upstream vendors and downstream manufacturers allows n-day vulnerabilities to proliferate longer in Android. Read Bill Toulas’ breakdown in Bleeping Computer.

NORWAY ATTACK UPDATE — A second vulnerability was discovered in the attack against a dozen Norway government agencies last week, reports The Record’s Jonathan Greig.

TRACKING SEX WORKERS — A group of Evangelical Christians are hosting “hackathons” to use advanced surveillance techniques to track down sex workers, who they conflate with trafficking victims. The group prepares intelligence dossiers on women before turning them over to the police, reports Jack Poulson and Sam Biddle for The Intercept.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).

HITTING YOUR INBOX AUGUST 14—CALIFORNIA CLIMATE: Climate change isn’t just about the weather. It's also about how we do business and create new policies, especially in California. So we have something cool for you: A brand-new California Climate newsletter. It's not just climate or science chat, it's your daily cheat sheet to understanding how the legislative landscape around climate change is shaking up industries across the Golden State. Cut through the jargon and get the latest developments in California as lawmakers and industry leaders adapt to the changing climate. Subscribe now to California Climate to keep up with the changes.