Since 2014's annexation of Crimea, Ukrainian mobile operators have taken multiple, proactive steps to defend networks in the country and ensure their resilience.

Prior to the February invasion of Ukraine, commentators and observers had expressed concern that the Russian offensive would involve coordinated IT attacks on key infrastructure throughout the country, including its communication networks. The combined effects of these attacks was predicted to have been globally widespread and, crucially, publicly felt. But while there have been reports on the use of cyberattacks on critical infrastructure, mobile networks remain largely active — as shown by the considerable number of videos, calls, and livestreams that continue to originate from across Ukraine.

The ongoing work of Ukrainian mobile network operators (MNOs) and equipment personnel keeping cell towers and supporting critical infrastructure connected and powered continues to be critical. Mobile networks have stayed functional for far longer than expected, sometimes in areas suffering destructive and ongoing strikes targeting underground fiber and cell towers, as well as power outages.

**Proactive Steps**  
Since the annexation of Crimea in 2014, the Ukrainian MNO community has taken proactive steps to both defend networks in the country and ensure their resilience. This has been vital in a country that is geographically vast, with an extensive rural population, and yet Ukraine has around 130% mobile penetration.

When the invasion began, the Ukrainian Telecom regulator (NKRZI) decided to allocate additional 3G and 4G frequency bands for the three main operators, nominally to provide more capacity where it was expected people would flee (Western border areas), but the frequency increase was implemented countrywide.

In addition, Ukrainian MNOs and Ukrtelecom made the coordinated decision not to suspend any account if the subscriber ran out of credit, meaning everyone could stay in contact even if they were in a position or situation where they could not obtain any additional credit.

Finally, all three main Ukrainian MNOs suspended all inbound roamers from Russia and Belarus. This was an unprecedented move — no country has ever blocked all users from neighboring countries with which it had existing roaming agreements. Immediately, mobile subscribers from Russian and Belarusian networks could not roam onto Ukrainian networks.

Mobile telecom security affected the battlefield as well in mid-March. Ukraine’s security services announced the capture of a SIM box that was being used as a voice-call relay from Russian forces' leadership in Ukraine, as well as to send text messages locally. This is an example of the use of Ukraine's mobile networks by invading forces, and the ongoing battle to detect and secure them.

Specifically, the SIM box made anonymous phone calls from Russia to the invaders’ mobile phones in Ukraine. The box also sent SMS messages to Ukrainian security officers and civil servants with proposals to surrender and defect, and was also used to pass commands and instructions to Russian forces.

Up to 1,000 calls a day were routed through this system, many from the Russian army's senior leadership. Its setup of a commercial, off-the-shelf Hypertone SIMBank and several multiple GSM gateways and control software was used to relay calls made from phones within Ukraine to IP, in order to send back to Russian addresses. This system looks to have been designed to avoid call interception by trying to blend in, i.e., by dialing in-country only, and then using IP to bypass the blocks on outbound calling to Russia.  
**  
Mobile Security Decisions  
**Specific mobile network security decisions and actions have also been made by the Ukrainian MNO community, regulator, and security services. While many have not been made public, they include:

1.  A recommendation to block 642 ASs (autonomous systems) of the "RuNet," the Russian Internet, which together cover 48 million IP addresses, preventing cyberattacks of information disseminated from these sources over both fixed line and mobile networks.
2.  Blocking the receipt of all inbound SMSes from Russia and Belarus, preventing spam or fake information from mobile networks in these countries.a
3.  Ongoing psyops that use texts to target Russian soldiers in possession of Ukrainian SIMs. Those that have been identified are messaged, encouraging them to defect and/or surrender.
4.  Ongoing search for other malicious telecom equipment. One was the detection and seizure of a "network of bot farms located in the largest cities of Ukraine, including: Kyiv, Dnipro, Odesa, Vinnytsia." These SIM boxes sent SMS messages aimed at fostering enmity within the Hungarian minority in Ukraine. Another detection by the SBU was five bot farms, where SIM boxes compromising over 100 SIM gateways used social networks to spread misinformation.

There are multiple moves that MNOs, and the state can take when preparing themselves for any conflict that may involve the targeting of telecom networks. It is vital that plans and techniques be coordinated and in place prior to any situation in which they might be enacted. In Ukraine the operators and regulators have been instrumental in coordinating and preparing their mobile networks to the position where they are today — a much stronger position than many had expected before the conflict.

How Mobile Networks Have Become a Front in the Battle for Ukraine

RFT is expanding the Safe Place hospital market security system to include staff protection.

BROOKFIELD, Wis., May 16, 2022 /PRNewswire-PRWeb/ -- RF Technologies (RFT) is pleased to announce the release of SAFE PLACE Staff Protection Solutions (https://www.rft.com/staff-protection/). RFT SAFE PLACE Staff Protection ensures staff security, and peace of mind, by making help available at the touch of a button.

RFT is expanding the SAFE PLACE hospital market security system to include staff protection. SAFE PLACE, used since 1993, now offers a solution creating a secure and productive work environment for staff protection from potential physical threats. The industry leading SAFE PLACE product line has protected patients for over 30 years in infant security, wander management, flight risk, and now staff protection.

Users can remain confident that the new SAFE PLACE Staff Protection Solution is proven and reliable, as it uses the same SAFE PLACE Enterprise software platform as other SAFE PLACE products. SAFE PLACE Staff Protection ensures staff security, and peace of mind, by making help available at the touch of a button. Staff Protection operates on a dedicated, dependable network consisted of a blend of hard wired and localized wireless infrastructure. The SAFE PLACE Staff Protection alert button is easily accessible with multiple wearable options to choose from including, keyring, lanyard, pendant clip, and watch.

SAFE PLACE Staff Protection uses cutting-edge Bluetooth 5.0 technology. The safety system is easily scalable to any healthcare setting and uses PoE or local USB power for the signal receiving gateways. Once activated, mobile panic alarms enable security to locate staff with detailed, real-time location tracking via security monitors. Proprietary software captures alert history and data to plan and predict alarms, track response times, analyze trends and produce quality reports.

Protect your healthcare staff from the threat of patient violence by using RF Technologies SAFE PLACE Staff Protection Solutions in your hospital. Staff will be reassured by the simple user interface that is designed by nurses, for nurses with integrated communication.

Once an alarm is activated, real-time location technology is enabled, with an alert notification, to track the staff under duress, even if they are on the move. The software allows security staff to know exactly where, on a map, they can find an employee and intervene before a situation escalates to violence.

During times of staff duress, give employees peace of mind, that with the push of a button, help is on the way.

For questions or inquiries, please contact the RFT marketing department at \[email protected\].

About RF Technologies: RFT is a turn-key manufacturer and provider of life safety solutions for the senior living, healthcare, education, and hospitality markets. With 10,000+ installations since their founding in 1987, RFT is a collaborative partner in designing custom-configured solutions that meet each  
customer's needs and reduces their liabilities. The RFT family of solutions includes CODE ALERT call and wander management, SAFE PLACE patient security,  
HELP ALERT® staff duress, SENSATEC® fall management products and EXACTRACK®  
equipment location.

RF Technologies Releases Safe Place Staff Protection for Healthcare Settings

Even with dedicated identity management tools at their disposal, many companies — smaller ones especially — are sticking with email and spreadsheets for handling permissions.

How do companies control application permissions and entitlements? According to a survey by Internet security and governance company Clear Skye, midsize and large companies turn to their IT service management (ITSM)/workforce management platform, while small companies are more inclined to use email.

The "2022 Identity Management Survey" polled a total of 514 respondents from a range of industries and organization sizes. Large companies are the most likely to place ITSM/workforce at the top of the list for controlling permissions, at 55%, while 51% of respondents from midsize companies did. The support dropped sharply for small companies, where only 38% reported using such software.

Small companies made up the difference by relying more heavily on email (57%) than either large (43%) or midsize (47%) organizations. Small and midsize companies were almost equally likely to use Excel or other spreadsheets to control permissions (35% and 34%, respectively), while large companies were less likely to use spreadsheets (27%).

Prepackaged identity and access management (IAM)/identity governance and administration (IGA) saw less than one-third penetration among large and midsize businesses (28% each), while small businesses were even less invested (25%).

And "invested" might be on the nose. Small businesses reported that cost was their top concern for permission management, while IT workers listed user experience, cost, and time to fulfillment as their top three challenges. After all, a company has to have an email system, and most also use spreadsheets already, so why introduce an expensive new system when you can rig an existing system to do mostly the same function?

Interestingly, respondents who had IT-specific job functions cited email and ITSM/workforce management as their top options for managing permissions and entitlements — 54% for each. Excel and other spreadsheets came in at a distant third place, with 34% of IT workers mentioning them. IAM/IGA tools beat out only "I don't know" (10%) and "other" (1%) in IT's estimation, with less than a third (29%) of IT workers citing that category. Non-IT workers at least have a good understanding of what their organizations use to control access, since their answers closely approached their IT colleagues.' Only "I don't know" was higher (10%), which makes sense.

Download the full report from Clear Skye.

50% of Orgs Rely on Email to Manage Security

Wireless chips that run when the iPhone iOS is shut down can be exploited.

Bluetooth, near-field communication (NFC) and ultra-wideband (UWB) operate when iPhone's iOS system is shut off, meaning even powered-down devices are vulnerable to attack.

New research from the Technical University of Darmstadt in Germany examined the chips that enable the "Find My" functions and allow users to access banking and identification information even when the device is in low-power mode. This access also has the unintended consequence of leaving the device open to attack, even though the user might think the iPhone is offline and secure. according to the team's paper, entitled "Evil Never Sleeps."

"On recent iPhones, Bluetooth, near field communication (NFC), and U=ultra-wideband (UWB) keep running after power off, and all three wireless chips have direct access to the secure element," the paper states. "As a practical example what this means to security, we demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off." 

That said, exploitation is far from simple, requiring several steps and the use of known bugs like BrakTooth, the researchers explain.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

iPhones Open to Attack Even When Off, Researchers Say

Maintainers of open source software (OSS) will gain additional security tools for their own projects, while the developers who use OSS — and about 97% of software does — will gain more data on security.

The maintainers of thousands of critical open source projects and the developers who build on the foundation of that code will both benefit from 10 security initiatives launched late last week by the Linux Foundation, the Open Source Security Foundation (OpenSSF), and 37 technology companies, the groups said — including tech bigwigs Amazon, Google, and Microsoft.

During a second summit of software industry professionals and government officials, the organizations committed to supporting a 10-step plan to shore up open source maintainers, provide tools to improve software security, and secure the software supply chain. 

The Open Source Software Security Mobilization Plan groups the 10 steps into three broad initiatives: securing open source software production, improving the discovery and remediation of vulnerabilities, and speeding the ecosystem's time to patch.

To show their commitment, a group of companies has pledged $30 million of the estimated $150 million needed to fund all 10 initiatives for the first two years, Brian Behlendorf, general manager of the OpenSSF, said during a press conference on Thursday. This initial $30 million comes from Amazon, Ericsson, Google, Intel, Microsoft, and VMWare.

"We realize that \[$150 million\] is a meaningful amount," he said. "It is an amount more than any one open source developer has, or even most open source projects. But when compared to the cost of remediating a major vulnerability out there, like we have seen in the last few years, it is a drop in the bucket — a very small ounce of prevention to spend for many, many pounds of cure."

The 10-step plan calls for educating and certifying developers in secure programming, creating and maintaining security metrics for the top 10,000 OSS components, promote digital signing of software releases, and replacing non-memory-safe languages, such as C and C++, with more modern alternatives, such as Go and Rust. The plan also calls for improving the discovery of vulnerabilities and their remediation by funding a team of experts to assist open source projects during incidents, provide advanced security tools, fund third-party reviews, and coordinate sharing of data to determine the most critical components.

The intent is to improve security without increasing workload, the open source foundations stated in the report.

"\[A\]ll forms of investment and intervention should be focused on delivering new value to OSS maintainers — from making it easier to adopt practices that enhance the security and integrity of their work, to funding activities like third party code reviews that most projects struggle to afford to perform on their own," the report stated. "Any investments or policies that place additional burdens on developers, increase their personal or professional liability for working on code, or issue unfunded mandates upon them, would struggle for adoption and potentially inhibit further advancements in open source software."  

**Developers & Maintainers to See More Tools  
**The main focus of the $150 million effort will be to produce tools, training. and services for developers and maintainers to create more secure software. Already, some tools have been released as part of the efforts of the OpenSSF and other supporters, such as Google. 

Google, for example, released a tool known as AllStars that automatically vets GitHub projects to flag any anomalies, which could indicate a security issue in the maintenance of the project. The company has also released a system, Scorecard, for rating projects in 18 different areas to give them a security rating. Google and the Linux Foundation, meanwhile, released a tool, sigstore, to help verify the integrity of software supply chains.

Such efforts are extremely important to reduce the impact of security efforts on developers' work, Stephen Chin, vice president of developer relations at software supply chain security firm JFrog, said in a statement.

"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises," he said. "Access to automated tools and high-quality security databases for open-source projects is essential and something that JFrog is committed to helping make happen."

Even more important than the tools are that the efforts create standards that allow interoperability between tool sets, Dan Lorenc — CEO and co-founder at Chainguard and a co-creator of sigstore — said in a statement.

"Interoperability is the linchpin in securing software throughout the supply chain," he said, adding: "These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project, nor do they have dedicated staff to understand and integrate all of these tools."

**Gaining Momentum for Open Source Security Support  
**OpenSSF has already made a number of announcements of initiatives that will likely become components of the industry's approach to supporting the creation and maintenance of a more secure software supply chain. Earlier this year, for example, the group announced the Alpha-Omega Project, which aims to secure the most critical software by providing tools and support to maintainers. In March, the OpenSSF and the Laboratory for Innovation Science at Harvard announced four lists of 500 open source projects deemed most critical in two major ecosystems, the JavaScript-based Node Package Manager (NPM) and non-NPM frameworks.

In October, the OpenSSF announced that 16 premier members — including Amazon, Cisco, Facebook, Fidelity, Google, Microsoft, and Red Hat — along with 15 general members had  committed $10 million to expand and support the organization.

The broad base of support shows that open source security is a problem that affects every business using software, Brian Fox, CTO at Sonatype, said in a statement.

"It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today," he said. "It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone."

Open Source Security Gets $150M Boost From Industry Heavy Hitters

To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.

A few months ago I had a conversation with the CISO of a multinational logistics company who told me that his company will never allow citizen development. "I see that the benefit could be massive, but we will never allow it," he said.

This statement made perfect sense. Allowing employees with little IT or coding experience to develop applications seems counterintuitive to companies that are used to seeking strict controls over developers, applications, and digital assets. For many executives, citizen development seems to belong to a distant future.

In a follow-up meeting with that same CISO a few weeks ago, the conversation went in a very different direction. Marketing teams found their way around the CASB and started using no-code automation. Business applications teams started using Salesforce to streamline business processes rather than focus only on sales and customization. Employees all around the company were using Microsoft's built-in platform to build custom applications in Teams. "Turns out, we didn't get to choose. Citizen development is now a reality, and I am now expected to mitigate its security risks," he told me.

This CISO is not alone. The world's largest banks, retailers, and manufacturing companies are going all-in on citizen development. At a recent online event, Microsoft announced that 97% of Fortune 500 companies use its low-code/no-code platform.

**How Low-Code/No-Code Platforms Find Their Way Into the Enterprise**  
To understand how organizations can transition from "low-code who?" to "business developers" in just a few months, we need to understand how low-code/no-code finds its way into the enterprise. We also need to look at low-code/no-code platforms' go-to-market (GTM) strategies.

**1\. Land-and-expand:** Low-code/no-code platforms follow multiple paths into the heart of the business. The first and most obvious one is a top-down approach. In organizations where digital transformation is a strategic effort, senior management often looks for platforms that can accelerate the productivity of their business teams. Low-code/no-code platforms are built to do exactly that. Two popular choices for digital transformation are low-code application platforms (LCAPs) and integration platform-as-a-service (iPaaS).

In the digital transformation scenario, an organization would typically set up a center of excellence (CoE) that starts off by finding key use cases that quickly produce business value. Think of business applications used to manage a giveaway campaign by HR, welcome vendors to your facilities, or facilitate IT equipment orders by employees. Even more importantly, the CoE serves as inspiration for business users to think of more ways in which they can improve their productivity with business applications and automation. This centralized team leading by example doesn't have to be explicitly called a CoE. It can be the business applications team, the intelligent automation team, or the integration team, for example.

Once users start getting an appetite for applications that streamline business processes, the CoE's backlog quickly overflows. It is at this stage that business users start building their own applications, either with guidance from the CoE or on their own.

Both LCAP and iPaaS vendors rely heavily on this process of expansion within the enterprise as their core growth strategy. While it's easier to get through the door with a solution used by a centralized team, the value that can be realized grows significantly when low-code/no-code tools are placed directly in the hands of business users. Indeed, LCAP and iPaaS vendors are investing a lot in making their platforms easier for citizen developers to use. Slowly but surely, business teams across the organization become aware of these platforms and start to use them to get their job done.

This land-and-expand model is a win-win for vendors and customers alike. Centralized teams bring these platforms into the corporation and demonstrate their value, leading to business teams realizing their potential by addressing a wide range of business needs quickly, on their own.

**2\. Bottom-up (shadow IT):** The marketing team at the aforementioned logistics company has been hard at work on a big conference. The company plans to make a few key announcements, with the intent to make it a big deal and generate lots of buzz. To translate this hype into leads, they want to set up a dedicated landing page with content optimized for conference visitors. The marketing team hires a vendor to build the page. In order to deliver quickly, the vendor uses a no-code automation platform to set up an email campaign and sync leads to the company's CRM. The end result is a great conference experience, powered by a no-code automation platform connected to the company's CRM.

In the rush of things, however, the CRM integration was set up with an administrator account shared with all developers on that account. At launch, only a few developers have access to the account, but after seeing the value, the whole marketing team is granted access, inadvertently sharing administrator privileges to the CRM. Security teams found out about it after the fact. The platform was purchased out of pocket due to time constraints, so there was no security assessment or an opportunity to say no.

This is a typical story, where platforms are introduced directly by users to solve a specific problem, without security visibility or guardrails. Once inside, they continue to expand to additional use cases and business groups. Vendors call this product-led growth (PLG), and it has been the hot GTM trend for the past few years.

Indeed, users are introducing these platforms because they actually solve their problems. Manual processes around order-to-cash, customer care, and marketing operations are a common example. This is great for business productivity. However, over time organizations can find that their business-critical data and processes have slipped out from under the security umbrella.

**3\. SaaS becoming the new business cloud:** Name your favorite corporate SaaS platform. Chances are, it's a low-code/no-code development platform too, and your business users are already building with it. Don't just trust me on this — I encourage you to check it out yourself.

In recent years, SaaS vendors are increasingly shifting toward becoming low-code/no-code development platforms. Microsoft, Salesforce, ServiceNow, Workday, Slack, and other leaders in SaaS have all introduced their own low-code/no-code platform, embedded right into the platforms your business users are already using. Some vendors are focused on if-this-then-that automation and others on custom application development. But all of them are reaching out to business users directly, empowering them to do more on their own.

Back in the previously mentioned logistics company, the CISO found out that users across the organization were using Power Platform, Microsoft's low-code/no-code platform embedded in Office, to build custom applications for their Teams channels. These applications gained access to resources on behalf of their Teams users to do useful things like set up calendar invites, send emails, or share SharePoint files. Inadvertently, it also gave the application creators control over application user identities, allowing them to impersonate their users through the applications. Like any application that gains access on behalf of users, that access could be used to do harm, either by malice or by mistake.

SaaS vendors are pushing strong on low-code/no-code as a way to expand their business. They are using their advantage of already being at the fingertips of business users and are building app development platforms for their specific personas. This, again, is great for innovation and business velocity.

**The Time to Act Is Now  
**With all of the different ways low-code/no-code finds its way into the enterprise, it's becoming clear that organizations can't just opt out of citizen development. Gartner has predicted that the number of active citizen developers at large enterprises will outnumber professional developers four to one by 2023. Other analyst firms have predicted similar numbers. Even if we end up having _just_ one citizen developer per professional developer, can we really let that slip outside the security umbrella?

Instead, security teams should embrace low-code/no-code and help guide the new generation of citizen developers in line with enterprise requirements. The sooner this is done, the better.

You Can't Opt Out of Citizen Development

New quantum encryption standards will stand up to spy-snooping, NSA cybersecurity director said.

As the National Institute of Standards and Technology (NIST) is busy developing — and gathering industry buy-in — for a new set of quantum encryption standards, the cybersecurity chief for the National Security Agency (NSA) has vowed it won't build in a backdoor for snooping.   

The NSA has a shabby track record when it comes to violating privacy and Fourth Amendment protections with its massive surveillance operations, but in an interview, NSA director of cybersecurity Rob Joyce said, "There are no backdoors" being designed for spies to bypass new quantum encryption standards. 

Although the reality of quantum computing is still years away, its potential to crack even the strongest encryption has the cybersecurity community on the hunt for protection against this future risk.  

The NSA is also helping NIST test its various quantum encryption algorithms, Joyce told Bloomberg News. 

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NSA Cyber Chief Vows 'No Backdoors' in Quantum Encryption Standards

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

What's a cartoon without a clever caption? For that we turn to you, our witty readers. Send us your ideas not only for the chance to win a $25 Amazon gift card, but also because it's just plain fun to play! Here are four convenient ways to submit your idea:  

*   Email _\[email protected\]_ with the subject line "Dark Reading April Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

The contest ends Wednesday, June 8, 2022. We look forward to your submissions.

**Last Month's Winner  
**A $25 Amazon gift card is on the way to Gene LeDuc, technology security officer at San Diego State University. His caption for April's "Helping Hands" contest was the hands-down winner. Congrats, Gene, and thank you to all who played along. 

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Knives Out

Just one day after disclosure, cyberattackers are actively going after the command-injection/code-execution vulnerability in Zyxel's gear.

Zyxel firewalls are under active cyberattack after a critical security vulnerability was disclosed last week that could allow unauthenticated, remote arbitrary code execution.

The bug (CVE-2022-30525, CVSS 9.8) was silently patched in April, but no public disclosure was made until last Thursday, May 12, when Rapid7 released a technical report on the issue. It also debuted a working proof-of-concept exploit that clearly snagged the attention of the bad-actor set: Just one day later, in-the-wild attacks started.

Zyxel’s ATP, VPN, and USG FLEX series business firewalls are affected. Shadowserver identified nearly 21,000 potentially vulnerable devices hanging around as of Sunday, prompting US National Security Agency cyber director Rob Joyce to issue a call-to-patch tweet.

The vulnerability can be triggered via a device’s HTTP interface to open a reverse shell and allow code execution as the “nobody” user. The nobody user is less privileged than actual user accounts, but a successful attack could still allow a nefarious type to "modify specific files and then execute some OS commands on a vulnerable device," Zyxel warned. In a worst-case scenario, attackers could potentially gain control of the host operating system, disabling the firewall and opening the network to follow-on attacks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical Zyxel Firewall Bug Under Active Attack After PoC Exploit Debut

In a Black Hat Asia keynote fireside chat, US national cyber director Chris Inglis outlined his vision of an effective cybersecurity public-private partnership strategy.

BLACK HAT ASIA – The future of cybersecurity public-private partnerships (PPP) will be about sharing efforts and pooling resources to provide a common defense, explained US national cyber director Chris Inglis during a fireside chat at Black Hat Asia.

Inglis called it a "new social contract" and defined the joint work that lies ahead for both government and business to protect their interests. It should be a "collaborative, not a division of effort," he told moderator and Black Hat founder Jeff Moss. He added that it's up to businesses to build secure systems from the start rather than being "the poor soul at the end of the supply chain."

**Building a Defensible System**  
In return for adding the cost of security into the design and build phase, these companies won't be left alone when it's time to respond to threats.

"We have to build a defensible system," Inglis said. "And in a collaborative fashion, we are going to defend it."

Market forces are pushing companies toward that model, but not fast enough, Inglis said, with the assurance that any regulation will be with the "lightest touch" by government.

**Business as a Government Cybersecurity Collaborato**r  
He added that since the Russian invasion of Ukraine, the US government has shared intelligence with the private sector to help defend their systems against cyberattacks. Inglis also lauded the action by Microsoft to roll out a patch against the Russian wiper virus used in attacks against Ukraine, but warned that it's imperative that we not "conflate geography with risk."

For instance, blocking Putin from platforms is different than blocking the wider Russian population, which has happened on TikTok, Netflix, Facebook, and many others.

Inglis also expressed that the private sector should demonstrate that is has an interest in protecting privacy and providing more transparency into their businesses.

Ultimately, the relationship between business and government is evolving.

"Today, there are instances where the private sector is the supported organization and the government is the supporting organization," Inglis said. "This is a new social contract, but we've done this before. It's about allocation of responsibility across the entire ecosystem."

Source

DARKReading