Friday, December 15, 2023

💧 Water insecurities

Plus: ChatGPT attacks | Friday, December 15, 2023
 
Axios Open in app View in browser
 
Presented By Wiz
 
Axios Codebook
By Sam Sabin · Dec 15, 2023

😎 TGIF, everyone. Welcome back to Codebook.

  • 🎁 We somehow have only one edition of Codebook left after today before we take off for the holidays. Let's dive in!
  • 📬 Have thoughts, feedback or scoops to share? codebook@axios.com.

Today's newsletter is 1,430 words, a 5.5-minute read.

 
 
1 big thing: Keeping hackers out of the U.S. water supply
Illustration of a poison symbol made of binary code, over water.

Illustration: Brendan Lynch/Axios

 

A wave of state-backed cyberattacks against U.S. water systems in the last month is bringing federal attention back to the digital challenges facing water utilities.

Driving the news: Late last month, an Iran-linked hacker group hacked a water authority in western Pennsylvania, along with a handful of other unidentified water utilities and critical infrastructure organizations.

Why it matters: While the attacks had seemingly no impact on water supplies, they sent a clear warning to policymakers and water utility operators to prioritize basic cyber hygiene.

  • Anne Neuberger, deputy national security adviser for cyber and emerging tech, told the Associated Press last week that the attacks should be a call to action for utilities.

The big picture: The U.S. water system is made up of 150,000 individual systems, and 93% of those serve fewer than 3,000 people, said Kevin Morley, manager of federal relations for the American Water Works Association, at an event in Washington this week.

  • The vast majority of water utilities are municipality-run entities, leaving them with little funding to hire cyber-specific staffs and provide basic employee cyber training.
  • Many water systems also operate on legacy systems that are tricky to upgrade or bring into the cloud, experts say.

Catch up quick: Even before the recent wave of cyberattacks targeting water systems, the Biden administration was facing difficulties regulating the sector's cybersecurity needs.

  • The Environmental Protection Agency attempted to require states to include basic cyber questions in already required sanitation inspections — but ultimately, the agency had to withdraw the rule due to a court challenge.

Between the lines: Despite the legal hurdles, policymakers and industry leaders still see a path forward for water utilities to quickly step up their cyber strategies, according to a report released Wednesday by Microsoft and the Cyberspace Solarium Commission 2.0 (CSC 2.0).

  • For one, water sector operators should conduct their own risk assessments and implement multifactor authentication on capability systems, the report notes.
  • State administrators can also allocate funds from existing pools, including those in the Drinking Water and Clean Water State Revolving Funds, to cybersecurity upgrades.
  • The recommendations are based on a series of roundtables hosted in late 2022 and 2023 with industry and government participants.

Details: The report's authors are also mobilizing to help small water and wastewater utilities tackle one of their biggest vulnerabilities: human behavior.

  • Over the next year, Microsoft, the Cyber Readiness Institute, and the Foundation for Defense of Democracies (FDD), which houses the CSC 2.0, will coach small water and wastewater utilities on basic cybersecurity and provide employee trainings.

What they're saying: "We're at a point where we're shifting towards more than just the 'what,'" Morley said at the event unveiling the report. "How do we get to there and enable them with the 'how' part? There are number of different paths we can get there."

Yes, but: Waiting for the EPA and other regulators to pass new regulations isn't an option, Tom Fanning, executive chairman of Southern Company, said during this week's event.

  • "We've always got to find a way to do better," Fanning said. "Given the urgency of the problem, what we got to do is move as fast as we can."
  • Fanning pointed out that water utilities, along with the rest of the private sector, need to "move with a sense of urgency" and start taking advantage of free cyber resources available to them.
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
2. Hacking group sets sights on ChatGPT
Illustration of a web browser guarded by lasers

Illustration: Annelise Capossela/Axios

 

Anonymous Sudan, a politically motivated hacking group, is pledging to keep targeting OpenAI's ChatGPT as part of its campaign against Israel and the country's supporters.

Why it matters: The group has already claimed responsibility for a few ChatGPT outages in the last month — with the latest happening early Thursday morning.

Driving the news: OpenAI said Thursday that it had resolved a major outage that lasted for around 40 minutes, making service "intermittently unavailable," per CNBC.

  • On its Telegram channel, Anonymous Sudan claimed responsibility for the attack during the outage.

What they're saying: "We will continue targeting ChatGPT until the genocide support, Tal Broda is fired and ChatGPT stops having dehumanizing views of Palestinians," the group wrote on Telegram.

  • Broda, OpenAI's head of research platform, has made several social media posts in support of Israel during the war with Hamas.

The big picture: Anonymous Sudan — which some experts have suggested could also be a front for pro-Russia group Killnet — is one of many hacking groups that is targeting Israeli organizations as part of the ongoing war.

  • These hacktivist groups have also started going after organizations in allied countries.
  • Around the same time as the most recent ChatGPT outage, Anonymous Sudan also claimed to have targeted the video game Rocket League, which is operated by U.S. company Epic Games.

Threat level: Anonymous Sudan claims to have been targeting ChatGPT by overloading its networks with bots, making the site inaccessible.

  • This attack tactic, known as a distributed denial-of-service (DDoS) attack, is Anonymous Sudan's go-to move. The hacking group is unlikely to be breaching OpenAI's internal networks.
  • DDoS attacks are more of a nuisance for users trying to access a service, and they've become more commonplace.

What they're saying: OpenAI did not respond to a request for comment on Anonymous Sudan's claims.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
3. Lawmakers push surveillance debate to 2024
Illustration of the Congressional Dome disappearing in an hour glass

Illustration: Sarah Grillo/Axios

 

Lawmakers have officially punted a debate over the renewal of a controversial government surveillance program to the new year.

Why it matters: The decision leaves the program intact without changes until April 19, saving it from expiration at the end of this year.

Driving the news: The House voted Thursday, following a late-night Senate vote Wednesday, to send a must-pass National Defense Authorization Act to President Joe Biden's desk.

What they're saying: "We are relieved and grateful that Congress recognizes that allowing Section 702 to lapse even temporarily would be catastrophic to U.S. national security and the safety of the American people," Matthew Olsen, assistant attorney general for the Department of Justice's national security division, said in a statement.

  • "We cannot afford to be blinded to the many threats we face from foreign adversaries, including Iran and China, as well as terrorist organizations like Hamas and ISIS," he added.

Yes, but: Privacy advocates argue that even allowing a short-term extension of Section 702 could allow the intelligence community to take advantage of the program beyond April.

  • Currently, intelligence officials rely on the FISA court to review whether their use of the Section 702 program is legal.
  • Those certifications, which advocates say can be granted in early 2024, could last a whole year.
  • "Including Section 702 in the NDAA not only threatens to perpetuate continuous abuse of FISA into 2025, it imperils the NDAA's passage in the House," Sean Vitka, policy director of Demand Progress, said in a statement.

What's next: Now that the House has officially left Capitol Hill for the rest of the year, expect debate on lawmakers' lingering Section 702 bills to continue in the new year.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Wiz

Keep your online business secure and boost your AWS security posture
 
 

In the age of the cloud, businesses must take a new approach to protecting themselves — and their customers — against cyberattacks.

What you need to know: Wiz, a cloud security platform, has released a free e-book that shares the most important principles for effective AWS security.

Download it now.

 
 
4. Catch up quick

@ D.C.

📝 Here's what you need to know about the new Securities and Exchange Commission cyber rules going into effect today. (Wall Street Journal)

🏛️ The Senate confirmed Harry Coker Jr. as the next national cyber director. (Axios)

📲 The Federal Communications Commission has adopted changes to its data-breach reporting rules for carriers and telecommunications providers. (Bloomberg Law)

@ Industry

🚨 Google said it will no longer respond to geofence warrants, which law enforcement authorities use to force companies to hand over information about users in a given location. (Forbes)

🏗️ Microsoft obtained a court order to take down web infrastructure tied to cybercrime group Storm-1152. (CyberScoop)

📑 Check Point Software Technologies said in an SEC filing that it voluntarily provided documents and other information as part of the agency's inquiry into the SolarWinds cyberespionage campaign. (Cybersecurity Dive)

@ Hackers and hacks

🍎 Des Moines Public Schools' technology director shares how the district's system was hit with ransomware earlier in the school year. (Axios)

🇷🇺 Solntsepek, a hacking group linked to the Russian military, has claimed responsibility for a cyberattack on one of Ukraine's largest internet providers. (Wired)

🪙 Ledger, a widely used crypto hardware and software wallet, said hackers have compromised the code behind its crypto protocol, affecting multiple web3 applications and services. (TechCrunch)

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
5. 1 fun thing

I can't stop thinking about this story of a "Russian economist" who arrived in the U.S. without a plane ticket, passport or visa — and even he seems confused about how he got here.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Wiz

AWS security 101
 
 

Data, applications, and services are all moving to the cloud.

  • That means businesses must take a new approach to protect against cyberattacks.

How it's done: AWS Security Foundations for Dummies explains everything you need to know to protect your AWS environment.

Download the book now.

 

☀️ See y'all Tuesday!

Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.

HQ
Are you a fan of this email format?
Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it.
 

Axios thanks our partners for supporting our newsletters.
Sponsorship has no influence on editorial content.

Axios, 3100 Clarendon B‌lvd, Arlington VA 22201
 
You received this email because you signed up for newsletters from Axios.
To stop receiving this newsletter, unsubscribe or manage your email preferences.
 
Was this email forwarded to you?
Sign up now to get Axios in your inbox.
 

Follow Axios on social media:

Axios on Facebook Axios on Twitter Axios on Instagram
 
 
                                             

No comments:

Post a Comment

PNP sues Sara for 'assault,' AFP revamps her security

The Quezon City Police District on Wednesday filed the first criminal complaint against Vice President Sara Duterte that stemmed from her ou...