The number of CISOs who report directly to the CEO is up sharply in recent years, but many still say it's not enough to secure adequate resources.

Source: TongRo Images vial Alamy Stock Photo

After years of leaning into learning the ethos of business leadership and risk management, chief information security officers (CISOs) have gotten their seat at the boardroom table and the power to make decisions. But even so, many say their jobs are more arduous than ever, and that's not how it was supposed to happen.

A full 82% of CISOs who responded to a recent survey from Splunk said they report directly to the CEO, up from just 47% in 2023. In addition, 83% said they participate regularly in board meetings. For their part, CISOs have had to skill up in kind, honing communications skills and learning the boardroom lingo of KPIs and ROI, not to mention become more familiar with legal and compliance concerns. In other words, the scope of the CISO role has expanded far beyond just IT security.

Source: Splunk, the CISO Report 2025

It's a big change; for years, CISOs were relegated further down the org chart, receiving mandates without any opportunity to provide context to the business. They also became the ones to take the blame for major breaches, landing some in legal entanglements. And that status quo was leading to massive burnout, with the average CISO tenure standing at just two to four years in 2020. By 2023, there was widespread consensus the CISO role needed a rethink.

Related:DoJ Busts Up Another Multinational DPRK IT Worker Scam

Hence, more CISOs gaining a seat in the C-suite. And theoretically, putting a CISO in the middle of high-level decision making should help push the case for more cyber investment. But that hasn't been the experience for many, who find that board buy-in is still a challenge. In fact, only 29% of the CISO survey respondents reported they have the necessary budget to keep up with the current threat environment; in contrast, 41% of non-CISO board members said they're satisfied with cybersecurity investment levels.

In all, 53% of CISO respondents in the Splunk survey said their job has actually become "more difficult since they took the job," seat at the table or no.

**CISOs With Board Buy-In Do Better**

The data also points to a clear-cut solution: Boards with members with cybersecurity backgrounds make a huge difference. Board members with CISO experience work better with cybersecurity teams on setting strategy, goal setting, and critically, budgeting.

Those results mirror the experience of Jessica Sica, CISO at software company Weave. Although she says her role reports to the chief legal officer rather than the CEO, she "regularly" meets with the whole C-team, as well as the board and audit teams. But rather than bogging her down, Sica says her relationship with leadership has made her job easier. But, she adds, Weave's board is cybersecurity savvy.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

"I have a very security-conscious boss, and we have a security-concerned board," Sica says. "Having their support and voice makes it easier to get my job done."

Her experience, however, is a minority one: The survey showed only 29% of CISOs had a board with at least one cyber expert.

Progress requires CISOs to keep pushing cyber into the C-suite conversation, and boards to recognize the need to add more cybersecurity experts to their ranks, according to Michael Fanning, CISO of Splunk.

"As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other to drive digital resilience," Fanning said in a statement. "Bringing these groups together requires educating boards on the details of cybersecurity, and for CISOs to understand the language and needs of the business while also making security a business-enabler."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

A departmentwide initiative has now led to five major law enforcement actions, in an attempt to curb the increasingly common trend of North Korean hackers posing as IT job applicants.

Source: Sean Hawkey via Alamy Stock Photo

Two Americans, two North Koreans, and a Mexican man have been indicted for their roles in an IT worker scam.

According to the Department of Justice (DoJ), Pak Jin-Song, Jin Sung-Il, and other North Korean co-conspirators secured IT jobs with at least 64 different American companies. They managed it using fake identities facilitated by Pedro Ernesto Alonso De Los Reyes, a Mexican citizen living in Sweden, and carried out their jobs with the help of laptop farms maintained by US citizens Emanuel Ashtor and Erick Ntekereze Prince.

The ruse lasted from April 2018 to last August. For a sense of how lucrative it was, the DoJ noted that earnings from just 10 of the 64 affected companies yielded the scammers $866,255.

**Breakdown of a North Korean IT Scam**

The IT worker scam, now tried and true, developed as a workaround for trade and economic sanctions imposed by the US on the Democratic People's Republic of Korea (DPRK). North Koreans under the employ of sanctioned DPRK government ministries, under assumed identities and relocated in places like China and Russia, apply for remote jobs in America's lucrative tech industry. They perform their jobs adequately enough, but funnel their earnings back to their shriveled government. And some portion of that money, inevitably, ends up funding its notorious nuclear and missile development programs.

Related:CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

But getting a high-paying tech job is no simple, overnight process. To facilitate these scams, by trick or by trade, North Korea recruits Americans and other foreign nationals to help them implement the plan. In this case, the help came from a few central individuals.

In some cases, Alonso lent the hungry job seekers his identity, which they presented as their own in job applications and interview processes. In other cases, the North Koreans stole real US citizens' government identification documents, then superimposed their own headshots on them. In other cases, they solicited help with forgeries from the Web.

After securing sometimes six-figure gigs, the North Korean workers would have company laptops delivered to Ashtor or Prince. By a certain point, the Americans were running full-on laptop farms from their homes in North Carolina. To enable North Koreans in China to work from laptops on the US East Coast, they covertly downloaded and installed remote access software onto these corporate devices. And to conceal where the salaries were actually going, they used their own registered companies to invoice employers. Payments would then be laundered through Chinese bank accounts.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Ashtor and Prince were arrested in North Carolina, and Alonso in the Netherlands. All five men are now charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. The two named North Koreans have earned a bonus charge of conspiracy to violate the International Emergency Economic Powers Act. Convictions could entail prison sentences of up to 20 years.

**Are Recent Arrests Having an Impact on Cybercrime?**

Last March, the DoJ launched its DPRK RevGen: Domestic Enabler Initiative, focused on shutting down the laptop farms crucial to facilitating North Korean IT worker scams. In the time since, authorities have made notable arrests and seizures on four separate occasions.

"They've been warned about this for two years, and we're finally just now starting to see the United States government starting to form a defensive policy, \[with\] routine arrests and sanctions," says Roger Grimes, data-driven defense evangelist at KnowBe4, a company that accidentally hired a North Korean employee last year.

Grimes hasn't yet observed any noticeable decline in these scams since the DoJ initiative began. In fact, he reports, KnowBe4 has received applications from fake IT workers even since its first, widely publicized incident. Any Americans joined up with Kim might consider, though, that besides the threat of arrest, the gig isn't always as lucrative as it seems.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

"A lot of them have been cheated," Grimes notes. While cases have varied widely, he claims, "Many \[Americans have been\] promised a lot more, and either only got paid partially, or some of them didn't get paid at all. So they were really cheated."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

DoJ Busts Up Another Multinational DPRK IT Worker Scam

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

MITRE's Latest ATT&amp;CK Simulations Tackle Cloud Defenses

The bug has been given a 9.9 CVSS score, and could allow authenticated threat actors to escalate their privileges to admin-level if exploited.

Source: Kristoffer Tripplaar via Alamy Stock Photo

NEWS BRIEF

Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.

Cisco Meeting Management is a management tool for Cisco's on-premises meeting platform, Cisco Meeting Server. The management system allows users to monitor and manage meetings that are running on the platform through two user roles: the first is for administrators with full rein over the platform; and the second is for "video operators," who only have access to the meetings and overview pages.

The vulnerability, tracked as CVE-2025-20156 (CVSS score of 9.9), is located in the REST API and exists because "proper authorization" is not enforced on REST API users. Should an attacker send specially crafted API requests to a specific endpoint, they could exploit the vulnerability and allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.

This poses a risk to businesses, as a threat actor with video operator access on the platform could exploit this vulnerability to give themselves administrator privileges, allowing them the ability to change configurations, add users, and more, according to the advisory.

The management system is vulnerable to the bug regardless of device configuration, according to the advisory. So, anyone using Cisco Meeting Management 3.9 or earlier would need to migrate to a supported version in order to fix the bug. Those with version 3.9 should upgrade to version 3.9.1; and those with version 3.10 remain unaffected. There are no workarounds to address the vulnerability.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Cisco: Critical Meeting Management Bug Requires Urgent Patch

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

Source: Elena Uve via Alamy Stock Photo

COMMENTARY

API security often involves third-party, rather than first-party, APIs, and each use case can have different requirements. Rather than trying to make one technological approach work for all instances, security and risk management leaders must adapt their approach to the specific use case.

According to a recent Gartner survey, 71% of IT leaders report using third-party application programming interfaces (APIs) in their organizations. Many security and risk management leaders must focus on API security when dealing with consumption and integration with third-party APIs, rather than exposure of first-party APIs. 

In addition, when it comes to third-party APIs, many remediation measures, such as patching for exposures, are not under the organization's direct control. Therefore, the approach will have to be fundamentally different as compared to first-party APIs. 

Three use cases should be top of mind for these security leaders.

**Use Case 1: Discover and Manage Outbound Data Flows to Third-Party APIs**

In this first use case, the enterprise sends data to third parties via APIs, typically by invoking them from homegrown applications. In an e-commerce scenario, for instance, the service providing the API could be a payment gateway. In this example, the outgoing traffic would contain payment data used to process a payment. There are different ways to invoke the API from within the application, such as direct integration, using a software development kit or a webhook.

A main risk is that sensitive data may be sent toward the API. This activity may conflict with enterprise policies or industry regulations. Third-party APIs may also put the data, or the data of customers, in danger. For example, an attacker may be able to steal payment data from customers by using a vulnerable payment API. Depending on the scenario, injecting a malicious payload could also corrupt the database of a business partner.

In this scenario, security leaders should discover third-party APIs by performing traffic inspection, code repository inspection, and software composition analysis, as certain third-party APIs may be invoked via third-party libraries, not homegrown code.

Security leaders should also liaise with the team that manages sourcing, procurement, and vendor management (SPVM) and third-party cyber-risk to ensure software-as-a-service (SaaS) applications are vetted and comply with organizational policies.

Security leaders must also identify sensitive data exfiltration by monitoring the outgoing traffic in these API exchanges. This is typically achieved by implementing data loss prevention (DLP) capabilities. Disparate tools could apply—for example, security service edge (SSE), DLP, and API protection tools all have certain DLP capabilities.

*   Differentiators could include whether the tool can categorize data while in transit (“on the fly”) or whether it can perform remediation actions, such as blocking the exchange, anonymizing, or encrypting the data.
    
*   The monitoring point may also matter, as some tools may already be installed or have access to unencrypted traffic.
    
*   Most importantly, the way security leaders have configured a tool matters. If it is set up to act as a choke point, it could be a better option than a tool configured to process only specific types of traffic or incoming traffic, for example.
    
*   Internal considerations, such as which team owns and operates each tool, will also play a role in determining which tool to choose.
    

Finally, security leaders can implement proper authentication and authorization of the API client (in this scenario, the application) using the mechanisms offered by the API provider. At a minimum, favor tokens over API keys for authorization. Assess how opaque and proof-of-possession tokens (or at least frequently rotated access credentials) and certificate pinning may efficiently mitigate token leakage and interception risks in specific use cases. Be mindful of the technical burdens they may require to set them up and issues with traffic inspection.

**Use Case 2: Protect From Inbound Traffic From Third-Party APIs**

In this use case, the organization consumes the third-party API, and the data is incoming. A typical example could be an enterprise application that makes an API call to obtain data from a commercial SaaS provider or a business partner.

One risk in this use case is receiving potentially harmful input from the API. Malicious input from third-party APIs may endanger applications, its users, or the infrastructure hosting applications. For example, if an API response with a malicious payload is sent to a database, it could result in an injection attack.

Data exfiltration is still a risk for this use case, and many of the recommendations from the first use case still apply here. If the outgoing API request contains sensitive data, that data could be intercepted. For example, if an API call requests a list of restaurants based on GPS coordinates, said GPS coordinates could be intercepted if the connection is not secure. Most importantly, the third-party API could be fetching the specific data of the enterprise. (Think, for example, of an API fetching data about customers from specific instances of a CRM SaaS application.)

Security leaders should perform input validation. Ask developers to add input validation controls when ingesting any input, including input from third-party APIs. This will prevent a large spectrum of attacks from malicious input, such as SQL injection attacks. Application security testing (AST) tools can help automate these checks.

Use Web application firewall functionality from a Web application and API protection tool in-line to add contingencies against injection attacks and other types of malicious input.

Finally, vet the input with an antivirus, sandboxing, or content disarm and reconstruction solution by integrating applications typically via Internet content adaptation protocol or APIs with one or more of these tools.

**Use Case 3: Discover, Vet and Manage the Data for Third-Party Apps That Communicate via APIs**

Many security leaders are focused on API security but describe a scenario where one or more SaaS applications typically communicate via APIs, exchanging enterprise data. This issue can be exacerbated because users may be able to interconnect SaaS applications without having administrative privileges. While the underlying communication may be API-based, this problem's solution is closer to the best practices for SaaS security.

This situation is particularly challenging when an authorized SaaS application user connects it via API to an unauthorized SaaS app. Many organizations will have little to no visibility of the connection's existence, let alone of any data transfers across it. Second, visibility is limited to what SaaS providers reveal through their own management APIs, as there's no clear place to insert an in-line control. The main risk with this scenario is that the SaaS application may expose sensitive enterprise data via the API, and that data may be transferred to an unapproved and even unknown location that security has not vetted.

Security leaders should discover the SaaS applications used by performing a census, releasing a policy, and inspecting traffic. Use SSE, firewalls, SaaS management platforms, or other tools to identify the SaaS applications users are accessing, especially those housing sensitive data. Until they know what applications users are accessing, they cannot check for SaaS-to-SaaS connectivity

Discover rogue SaaS access tokens by querying the SaaS applications used, where supported. Create and promote policy to users about connecting SaaS apps via OAuth.

For the previous use cases, liaise with the team that manages SPVM and third-party cyber-risk to ensure SaaS applications are vetted and comply with organizational policies, such as data security and third-party sharing ones. In addition, inventory SaaS-to-SaaS interconnections; automated tooling, such as SSPM offerings, can help ensure this is a continuous process.

By adapting their approaches to these three specific use cases and their possible variations, security leaders can address the risks that third-party APIs present for their organizations.

**About the Author**

VP Analyst, Gartner

Dionisio Zumerle is a VP Analyst at Gartner, where he is currently focused on application and mobile security topics. Zumerle's coverage includes API security, mobile application security, DevSecOps, and mobile threat defense.

3 Use Cases for Third-Party API Security

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively.

Source: Vladimir Stanisic via Alamy Stock Photo

COMMENTARY

The federal government is often slow moving when it comes to various technology modernization efforts (thanks to the obstacles posed by resourcing, staffing, and politics), so it's no surprise that a lack of cybersecurity awareness and action has caused federal infrastructure to reach new levels of criticality. 

Year after year we see data breaches become more commonplace, with ransomware plaguing organizations and agencies of all sizes, while foreign adversaries continue to work their way into our networks and most high-value infrastructure. There's a good reason why trust has been slowly eroding across our federal institutions over the past 20 years. But aptly timed in this tumultuous era — and released during his final days in office — is the Biden administration's executive order on Strengthening and Promoting Innovation in the Nation's Cybersecurity. 

My take is that it's certainly good. And it's certainly needed. There's clearly a problem in shoring up our national supply chain. Our adversaries are getting stronger every day, and they're exploiting gaps and weaknesses in our interconnected systems in a way that's very real and urgent. Plus, as our workforce (federal and private) continues to modernize, digitalize, and work from anywhere, our inability to reconcile secure-by-design development with fast work-from-anywhere productivity has created a harsh reality. 

The takeaways from this executive order are the same as ever. People have long deprioritized getting the basics right when it comes to cybersecurity. A history of sporadic and continuous investment in legacy IT has left organizations ripe for and open to attacks. In fact, 90% of organizations lack visibility over all their endpoints at any given time, and in 2024, breaches caused by the successful exploitation of vulnerabilities went up 180% year over year. There remains an evident education, enforcement, and skills gap in cyber. How much longer will it take us to recognize and make the necessary changes to overcome these issues? 

But there are some positives. In my mind, here's why this executive order is different: It comes at a time when there's an actual, viable solution readily available to help the US federal government — and the larger software supply chain — overcome the challenges that have long stifled our collective resilience efforts. AI and automation pose a real and lasting way for the US federal government to shore up resilience, improve the integrity of the software supply chain, and upskill the federal workforce. AI allows organizations working with the federal government to reach a balance between productivity, growth, and security in a way that's never before been possible. 

As written in the executive order, "Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense." AI, when used strategically to analyze, synthesize, and inform security actions — particularly in areas like patch management and vulnerability assessment — not only presents the opportunity to help the federal government achieve resilience, solidifying infrastructure and streamlining operations in the process, but also frees up critical talent to reach new goals and mission critical resilience objectives as they evolve. 

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively. Though like anything else in technology, not all of AI is created equal, and thoughtful adoption in addition to rigorous coding, testing, and transparent disclosure practices will be essential to ensure that we as a community and as a software supply chain continue to implement, grow, and refine accordingly. 

Even if this executive order gets overturned, mandates like these serve as a helpful reminder of all that is important — and possible — to prioritize and achieve in this new AI era. While utilizing AI won't be without its challenges, and no development program will ever be perfect, AI offers organizations a unique opportunity to strive for more, strengthen development and compliance practices, and grow, while upskilling the next crop of cybersecurity talent to more proactively get ahead of the next generation of threats. 

**About the Author**

Chief Trust Officer, NinjaOne

Mike Arrowsmith is the Chief Trust Officer at Ninjaone where he leads the organization’s IT, security, and support infrastructure to ensure NinjaOne meets customers’ security and data privacy demands as it scales. Prior to NinjaOne, Arrowsmith held top security roles at Guardant Health and Splunk, where he focused on managing and scaling IT and security teams. Arrowsmith brings a deep understanding of how high-value, fast-growth companies can navigate security challenges, embed a culture of security, and bake in data ethics to everything they do. Most of all, Arrowsmith has an unrelenting focus on customer experiences and is heavily involved in product development at NinjaOne, bringing a "company zero" mentality to his team.

Strengthening Our National Security in the AI Era

At Black Hat and DEF CON, cybersecurity experts were asked to game out how Taiwan could protect its communications and power infrastructure in case of invasion by China.

Source: Kevin M. Law via Alamy Stock Photo

If China attacked Taiwan, how could Taiwan defend its critical communications infrastructure from cyberattack?

Last year, Dr. Nina A. Kollars and Jason Vogt — both associate professors at the US Naval War College (USNWC) Cyber and Innovation Policy Institute (CIPI) — designed a war game to inspire some novel strategies. They enlisted government and private sector cybersecurity experts at Black Hat and DEF CON to participate, and presented the results at ShmooCon earlier this month.

The scenario was this:

August 6, 2030. Relations between the PRC and Taiwan had deteriorated to the breaking point due to the re-election of a liberal, pro-independence party. Rhetoric towards independence was at an all-time high, and several government representatives had openly called for UN recognition of Taiwan as an independent state. The Central Committee of the Communist Party (CCCP) decided that the risk of Taiwan declaring independence was high enough to warrant military intervention. They began preparations for an invasion. With little chance of surprise, the PRC decided to do their utmost to disrupt Taiwan’s military and civilian communications prior to the assault.

The experts came up with 65 ways Taiwan's government could prepare for such a war, ranging from the low tech, like using ham radio when mobile networks go down, to the ambitious, such as investing in modular nuclear reactors or tidal power generation, to the outlandish, for example using civilians or cultural artifacts as deterrents against military strikes.

Related:Thai Police Systems Under Fire From 'Yokai' Backdoor

**Taiwan's Unique Indefensibility**

In designing the war game, "We put very specific emphasis on what we call the 'Zelensky playbook,'" Kollars says. Ukrainian President Volodymyr Zelensky made certain that communications could occur between his own people and the capital, and between the capital and the rest of the world. "We went into designing the war game specifically to answer the question: Could the Taiwanese play Zelensky? Even under any kind of duress, could they find a way to keep communicating?"

What was clear early on is that political and geographic factors make Taiwan much more vulnerable to blockade. Ukraine is in mainland Europe, with a long border through which it can receive resources of one kind or another — fuel, Internet connectivity, and food, for example. Taiwan's highly connected populus is served by 16 undersea cables, three of which run through China, making them eminently cuttable. Meanwhile, it imports nearly all of its energy from overseas, and has been phasing out domestic nuclear power, which might otherwise provide a balance. "So pretty quickly you get this pretty dire picture, where it's just a fundamentally different kind of battle," Kollars explains.

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

"Taiwan is in a very vulnerable position because of its geography, but also because of a million little micro-decisions, which ultimately give you the telecommunications and power system that you have," Vogt says. At the time of Russia's invasion, "Ukraine had a much more diverse set of mobile providers, and the power was much more distributed — there's a lot more connections to other countries. So the Russians were probably never in a position where they could digitally isolate Ukraine, writ large. They tried to do it to the capital, but it was always going to be very hard for them. I think in the Taiwan–China scenario, China has the potential to be much more damaging."

**How to Defend Taiwan from China**

Initially, players devised strategies to combat aggressive but ultimately tempered cyberwarfare: ransomware attacks against data centers, severed submarine fiber optic cables, and forced power outages. Only then did China kick up its game with kinetic strikes, including PRC strikes on Taiwanes aircraft and ensuring that nothing can fly in Taiwanese airspace. In the scenario, PRC also destroyed bridges and key routes to coastal defenses, while also targeting Taiwan's command-and-control systems and all manner of communications systems.

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

How could a small island nation possibly protect its infrastructure against the combined might of the world's second greatest military power?

More than two-thirds (70%) of the solutions proposed by players involved investing in infrastructure for communications, power generation, storage, and data backup and distribution. Some 20% of the ideas focused on recovery — preparing civilians with technical skills, and stockpiling spare resources, for example. Only 10% of recommendations focused on straight cybersecurity.

The physical location of critical resources was also of utmost importance. Some suggested that Taiwan take advantage of its geography by building and stockpiling equipment along its far coast, in forests, and nestled in its eastern mountain range. Some suggested decentralizing its infrastructure, spreading it out in smaller chunks all around the country using solar power and cheap radio systems. Others argued for the opposite: concentrating communications and power systems in fewer, denser areas that China might be reticent to destroy.

"There were some ideas I thought, from a military perspective, were pretty risky," Kollars admits. "One of them was to colocate all of Taiwan's precious assets — like the TSMC semiconductor plant, all of its antiquities from China, large populations, and a nuclear power plant — assuming an adversary wouldn't strike a target that had everything stacked on top of it. That's a heck of a gamble."

Ultimately, the most popular ideas were those that were cheap and practical, like using Bluetooth or Raspberry Pi mesh networks as backups to cellular connectivity. "The thing that surprised us most about this exercise," Vogt recalls, "was how much time they spent talking about the civilian population, and what needed to be done to prepare them: everything from public messaging campaigns on how to be cyber secure to full-on training programs to create civilian cyber cores that could not just protect themselves but also operate and maintain equipment when there's no government around, and keep the communications going for longer periods of time."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

War Game Pits China Against Taiwan in All-Out Cyberwar

The first team to successfully hack the electric vehicle maker's charger won $50,000 for their ingenuity.

Source: VDWI Automotive via Alamy Stock Photo

NEWS BRIEF

Researchers at the this year's Pwn2Own Automotive hacking contest successfully hacked Tesla's wall connector electric vehicle (EV) charger.

The annual contest focuses on hacking automotive technologies during the Automotive World tradeshow in Tokyo. The contest allows researchers to target car operating systems, electric vehicles, chargers, and infotainment systems in vehicles to uncover hidden vulnerabilities and potential threats.

Zero Day Initiative said the PHP Hooligans used a "numeric range comparison without minimum check" zero-day bug to take over the EV charger and crash it. This feat earned them $50,000 in prize money and five Master of Pwn points.

Right behind them was Synacktic, which hacked the Tesla EV charger through the charging connector.

The PHP Hooligans also exploited 23 other zero-day vulnerabilities in WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA EV chargers.

On day two of the contest, Trend Micro's Zero Day Initiative paid out $718,250 in rewards to onsite security researchers who discovered 39 unique zero-days.

Sina Kheirkhah is currently leading the Pwn2Own contest with 24.5 points, followed by Synacktiv in second place, and PHP Hooligans in third.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Tesla Gear Gets Hacked Multiple Times in Pwn2Own Contests

PRESS RELEASE

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA), published Closing the Software Understanding Gap that calls for decisive and coordinated action by the U.S. government to obtain a deep, scalable understanding of software-controlled systems. Specifically, the report calls for software-controlled systems that can be assessed to verify functionality, safety, and security across all conditions, which is currently not available.

Mission owners and operators lack adequate capabilities for software understanding because technology manufacturers build software that greatly outstrips the ability to understand it. The inadequate understanding leads to exploited software vulnerabilities because technology manufacturers create software that is not secure by design.

“Recent discoveries of adversarial state-sponsored activity in US critical infrastructure – primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems – pose imminent threats to US national security. The software understanding gap exacerbates the risk to this threat activity,” said CISA Technical Director Chris Butera. “Mission owners and operators have an enormous and accelerating dependence on the software underwriting U.S. critical infrastructure. With our partners, we urge the USG to close this gap before other nations and urge software manufactures to align to Secure by Design principles.” 

The report highlights potential solutions to change the security posture of legacy and future software. One example is the application of mathematically rigorous techniques known as formal methods. For a long time, formally verified software has seemed hopelessly out of reach, but advances by DARPA and others over the past decade have made formal approaches more accessible for mainstream practice.

“We have the tools today to greatly reduce the number of software vulnerabilities that plague our software infrastructure,” said DARPA’s Information Innovation Office Director, Kathleen Fisher. “Rapid action to implement these tools in legacy and future systems can dramatically reduce the United States’ cyber vulnerabilities ahead of future global conflicts.”

This report also provides recommendations to obtain a deep, scalable understanding of software-controlled systems, including AI-based systems. By providing an adequate capacity for software understanding, the United States will secure an advantage in geopolitics for the foreseeable future and will help harden critical infrastructure against state-sponsored activity.

This report highlights the enduring broad government coordination required to create the capabilities to address these threats.

For more information on Secure by Design, visit Secure by Design webpage.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

You May Also Like

CISA Calls For Action to Close the Software Understanding Gap

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Source

DARKReading