The government isn’t great at explaining cyberthreats to Americans

Hi, friends. I’m taking a break from my post doling out tech advice to fill in for today’s Cybersecurity 202. As this Shania Twain bot likes to say: Let’s go girls.

Today: The Justice Department has charged the Russian administrator of a dark web marketplace, and Ukrainian cyber officials say Russian attacks are on the rise.

Cybersecurity education for consumers is lacking

The Biden administration took a big step forward in its cybersecurity efforts this week as the State Department launched a cyberspace and digital policy bureau with more than 60 staffers and plans to hire more.

Meanwhile, many of us are struggling with the most basic components of online security. “123456” is the most popular password in the world, based on analysis of breached data. About a third of us miss out on critical security fixes because we don’t keep up with software updates, according to a 2021 report from the National Cybersecurity Alliance. 

Technologists are bad at explaining cyberthreats and solutions in terms laypeople can understand, experts regularly tell me as I write for The Post’s personal technology vertical called the Help Desk. Sometimes, that means we spend decades making the same mistakes, says Eric Cole, who served on the Commission on Cybersecurity during the Obama administration and started his career in the 1990s as a hacker for the CIA. 

“If you had told me back then that in 2022 the No. 1 way people get hacked would still be bad passwords, I would not have believed you,” Cole told me.

Politicians catastrophizing

Policymakers grab headlines for being tough on cybercrime, but rarely do they pass security info down to constituents, according to Victoria Baines, a visiting fellow at Bournemouth University who wrote the book “Rhetoric of InSecurity.” 

Giving citizens frank information about digital threats is rarely at the top of lawmakers’ lists, and their imprecise language gives that away, Baines said. Cyberspace becomes the “Wild West” and encrypted messengers’ “dark corners.” Even the FBI relied on an image of a scary-looking hacker in a dark hoodie to greet visitors to its public cybercrime website (it changed the image in 2020). 

  • “The more that we represent cyberthreats as some kind of intergalactic horror story, the less safe people are actually going to be because the less capable they feel to protect themselves, their businesses, their friends and their loved ones,” Baines said.

Scare tactics might nudge consumers to take cybersecurity seriously, Baines said — but they also distract from the fact that policymakers themselves often don’t understand the tricky factors at play. 

Mass cybersecurity education campaigns aren’t particularly sexy. Back in 2004, the National Cybersecurity Alliance and U.S. Department of Homeland Security established National Cybersecurity Awareness Month to boost understanding of digital threats, but interest and participation has dropped since then, according to Kavya Pearlman, founder and CEO of the Extended Reality Safety Initiative. 

  • “While there has been an increased sense of awareness due to recent executive orders around cybersecurity threats, the federal government and legislators are not sufficiently explaining to laypeople how emerging digital threats trickle down and affect everyone,” Pearlman said.
  • Pearlman said the government should do more and that she’s urged the Cybersecurity and Infrastructure Security Agency (CISA) to allocate some of its budget to educate citizens on the security risks of emerging technologies including artificial intelligence and the Internet of things.
  • A CISA spokesman wrote in an email that strengthening America’s cybersecurity requires a “whole-of-nation approach” and that the agency educates individuals on how to stay safe online through its website and social media, as well as “awareness campaigns, partnerships and [its] network of regional offices nationwide.”

National governments should use public health campaigns as a model for consumer cybersecurity education, Baines said. If governments can tell people how to wear masks to reduce the risk of coronavirus, they can explain basic digital hygiene, she argued. 

Some politicians are getting more comfortable discussing digital threats. Sen. Mark Warner (D-Va.), Sen. Ron Wyden (D-Ore.) and former Texas congressman Will Hurd (R) have consistently put cybersecurity center stage. 

Rep. Alexandria Ocasio-Cortez (D-N.Y.) took to Instagram this week to respond to questions from her audience, one of which touched on cybersecurity. 

“Cyber attacks on banks and the grid … how likely? Should we prepare? It’s scary,” one Instagram user wrote, apparently referencing cyberwarfare concerns as Russia continues its invasion of Ukraine. 

“Turn on 2 factor and use enhanced security to protect yourself and others,” Ocasio-Cortez said in a written response. “Don’t click on any weird links.”

Is it a thorough cybersecurity guide? Maybe not. But it nods at the practical advice policymakers rarely land on.

It’s your lucky day: The Post has a Security Reset Guide. 

Absent broad campaigns educating consumers on so-called digital hygiene, other resources must fill the gaps. The Post’s tech Help Desk is building a collection of practical cybersecurity guides to help readers get their digital ducks in a row. With the help of experts (and readers themselves), we walk through common questions about passwords, software, WiFi and more — and figure out the easiest ways to protect against online threats. Check back and click through whenever you need an extra hand — or send these to your parents. 

The U.S. government sanctioned a dark net marketplace and charged an alleged server administrator

The Treasury Department sanctions on Hydra Market came as German authorities seized the site’s servers and around $25 million in cryptocurrency. The Justice Department charged a 30-year-old Russia resident, Dmitry Olegovich Pavlov, with conspiring to distribute illegal drugs and commit money laundering in administering Hydra servers.

The Treasury Department also sanctioned Garantex, a cryptocurrency exchange that was originally registered in Estonia but was mostly operated within Russia, the department said. Of the more than $100 million in illegal transactions at Garantex, nearly $6 million was associated with the Conti ransomware gang and around $2.6 million was associated with Hydra, Treasury said.

Garantex operates out of the same Moscow tower where previously sanctioned exchanges Suex and Chatex have offices. The U.S. government accused the exchanges of facilitating ransomware transactions.

Jordanian activists’ devices were infected with Pegasus spyware, researchers say

At least some of the hacks on Jordanian human rights activists appear to have been carried out by Jordan’s government, Front Line Defenders and Citizen Lab said. Jordan denied the allegations, the Associated Press’s Josef Federman reports.

“According to their joint report, the hacks took place between August 2019 and December 2021,” Federman writes. “It said the last hack took place on an iPhone, indicating that NSO has continued to target Apple’s operating system even after a lawsuit by the global technology giant over previous hacks.”

NSO didn’t comment on the report but told the AP that monitoring activists with its software would amount to “severe misuse.”

An investigation by The Washington Post and 16 media partners last year found that NSO’s Pegasus spyware was used to target activists, executives and journalists. The U.S. government in November blacklisted the firm, restricting its ability to receive American technologies, after concluding that foreign governments used its spyware to “maliciously target” government officials, activists, journalists and academics.

Russian cyberattacks are on the rise, Ukrainian cybersecurity official says

Ukrainian officials said the rising cyberattacks mostly came in the form of attempts to spread malware on — and spy on — critical organizations in Ukraine, the Wall Street Journal’s Catherine Stupp reports. The officials also reported that Russia-linked hackers sent malicious emails to Latvian officials. 

Victor Zhora, a top Ukrainian cybersecurity official, also renewed pressure on Chinese drone giant DJI, whose drones are being used on both sides of the war. In the early days of the war, Russian officials received the locations of Ukrainian drone operators while Ukrainian officials couldn’t do the same, Zhora told reporters, noting that the discrepancy was “rather suspicious to us.” Zhora’s comments came as Ukrainian authorities said in a report that their research “confirmed” that DJI aided Russia’s attacks, CyberScoop‘s AJ Vicens reports.

U.S. Cyber Command providing cyber expertise and intelligence in Ukraine’s fight against Russia (FedScoop)

Hackers’ fake claims of Ukrainian surrender aren’t fooling anyone. So what’s their goal? (The New York Times)

White House asserts micromanagement critique was about a previous administration (NextGov)

  • Facebook parent Meta is joining CISA’s Joint Cyber Defense Collaborative.

The announcement this morning:

  • Former president Barack Obama; former Cybersecurity and Infrastructure Security Agency director Chris Krebs; and Reps. Lauren Underwood (D-Ill.) and Adam Kinzinger (R-Ill.) speak at a disinformation conference hosted by the University of Chicago and the Atlantic today through Friday.
  • Eric Goldstein, the Cybersecurity and Infrastructure Security Agency’s executive assistant director for cybersecurity, and deputy national cyber director Rob Knake testify before a House Homeland Security Committee panel today at 10 a.m.
  • Defense Advanced Research Projects Agency Director Stefanie Tompkins, Defense Innovation Unit Director Michael Brown and Undersecretary of Defense Heidi Shyu testify before a Senate Armed Services Committee panel today at 2:30 p.m.
  • The Center for Strategic and International Studies hosts an event on the national defense implications of commercial wireless networks on Thursday at 9:30 a.m. 

Thanks for reading. See you tomorrow.