Two Hats Are Better Than Two Heads

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz. 

This is the last edition of Seriously Risky Business for 2024 until February 2025.

Two Hats Are Better Than Two Heads 

Planned changes to the leadership of U.S. Cyber Command (CYBERCOM) and the National Security Agency (NSA) will prioritize short-term cyber disruption operations at the expense of longer-term intelligence collection. 

The incoming Trump administration plans to end the current “dual-hat” arrangement whereby both organizations are led by a single officer, according to The Record. The article says the proposal is in its early stages but there aren’t any major impediments to the change. Essentially, it only requires that both the secretary of defense and the chairman of the Joint Chiefs certify that the change wouldn’t pose an “unacceptable risk to the military effectiveness” of CYBERCOM. 

The change has been proposed before. President Obama supported a split way back in 2017, and it was again pushed just before the end of President Trump’s first term. On that occasion, the plan was killed by then-chairman of the Joint Chiefs, Gen. Mark Milley. 

The Record notes that “some insiders believe Cyber Command sucks resources from NSA,” and it is our understanding at Risky Biz HQ that, from a purely practical point of view, CYBERCOM does not currently have the resources it would need to operate entirely independent of NSA. 

In addition to current on-the-ground practicalities, a more enduring issue the proposal raises is that CYBERCOM’s and NSA’s goals are different and, at least to some extent, incompatible. NSA prioritizes intelligence gathering and would like to operate stealthily to avoid being caught and having its capabilities discovered and “burnt.” CYBERCOM relies on this intelligence gathering but also has a mandate to undertake disruptive cyber operations intended to harm adversaries and therefore more likely to be noticed.

So, while a successful cyber espionage operation is never discovered and burnt, even a successful CYBERCOM action will sometimes cost intelligence as targets discover they’ve been hit and adapt to or mitigate the tools and techniques used against them.  

The current dual-hat structure means a single person in charge of both organizations can weigh competing intelligence and disruption options. Is the national security benefit from disrupting a particular target in a particular circumstance worth the risk to intelligence capabilities?

U.S. lawmakers understand these trade-offs, and Gen. Timothy Haugh, now the head of NSA and CYBERCOM, was asked specifically about them during his Senate confirmation hearings in July 2023. In response, Haugh wrote: 

This is perhaps the most critical advantage of the dual hat—a single decision maker, responsible and accountable for the mission outcomes of both organizations, is best equipped to protect critical intelligence equities [i.e., NSA investment in intelligence capabilities] while executing national priorities, as directed. It ensures fully informed tradeoff decisions are made under accountability to both the Secretary of Defense and Director of National Intelligence.

When asked specifically about accesses (sources of intelligence) developed by NSA being used and burnt by CYBERCOM, Haugh responded:

As a result of the overlap of the signals intelligence and cyber operations environments, NSA and USCYBERCOM have developed a close partnership in this area. Under the current leadership arrangement, a single, fully informed decision maker, responsible for the separate and distinct mission outcomes of both organizations, is able to protect our nation’s most sensitive signals intelligence equities while operating in defense of national interests and ensuring both organizations are aligned with the nation’s priorities. If confirmed, I will continue to utilize and improve processes for identifying and evaluating the sharing of accesses, where appropriate, from NSA to USCYBERCOM, from USCYBERCOM to NSA, and with other key partners, to deliver the best outcomes for the nation.

The Record points out that removing the dual-hat arrangement would reshape the relationship between the two organizations:

Cyber Command requires a four-star officer to lead it as it’s one of the Pentagon’s 11 combatant commands. The NSA, as a “combat support agency,” needs only a three-star chief. Eliminating the dual-hat essentially would allow the military’s organization responsible for carrying out offensive cyber operations against adversaries overseas to outrank the U.S. government’s top electronic spy agency.

Done right, cyber disruption operations can be effective but tend to have impacts that are short lived and limited to days or weeks. Intelligence operations tend not to have the same immediate impact but are force multipliers because they inform the smart application of other instruments of national power. This results in potentially huge, but longer-term and less visible impact. 

We agree with Haugh’s argument that a single decision-maker is best placed to weigh these decisions. 

However, if the dual-hat arrangement is ended, these decisions still need to be made on a case-by-case basis and not according to a hierarchy that places military disruption ahead of intelligence collection every time. That is the challenge that any system—one hat, two hats, or a rodeo of Stetsons—needs to address. 

Corpo-Drivel Swamps SEC Disclosures 

Cybersecurity-related regulations adopted a year ago by the U.S. Securities and Exchange Commission (SEC) have mostly failed to achieve their stated purpose, according to a report from the incident response firm BreachRx. The rules, which came into effect Dec. 18, 2023, required that companies disclose material cybersecurity incidents and provide yearly reports describing how they were managing their cybersecurity risks. The intent of these regulations was to make more actionable information about these risks and incidents available to investors. 

BreachRx analyzed nearly a year’s worth of cybersecurity-related SEC filings and found that companies are often reporting meaningless drivel that doesn’t usefully inform the market.

When it comes to disclosure of material cybersecurity incidents, only three companies got it right and lodged the appropriate paperwork (item 1.05 on Form 8-K) once they’d determined that a material incident had occurred. The majority of companies filed these forms to ward off potential SEC action, even before determining whether an incident was material. Forty-seven companies filed 71 8-K forms, but only 11 of the filings identified material impact. Over half of these filings were boilerplate statements: “There was unauthorized activity; we are taking steps to contain, assess and remediate the incident; we have not determined if the incident will have a material impact.” That's a lot of words that say nothing useful. That’s as useful as a one-legged man in an arse-kicking contest. 

The annual disclosures covering firms’ cyber risk management approaches weren’t much better. BreachRx analyzed 418 disclosures and says the “majority described their cyber risks and incident response and disclosure procedures in nearly identical and generic terms” (emphasis in original). Only 19 percent described incident response plans and processes, and only 2 percent, or 10 companies, explicitly cited cybersecurity risk experience on boards.

There is evidence that increased transparency improves incentives for companies to act on cybersecurity risks, so we think the answer to too much drivel is that the SEC should invest more in educating companies about what good disclosure looks like. 

How WhatsApp Became an Everything App

Rest of World has published a fantastic series of articles about the creation of WhatsApp and its incorporation into Meta, its rise as a cultural force around the world, and its use for emergency communications in crisis and conflict areas. The app’s usefulness in conflict areas stems in parts from its early goals. Rest of World’s first article describes “reliable messaging for everyone, everywhere” as its business strategy:  

Working out of an unmarked, converted garage in Mountain View, California, the engineering team was laser-focused on ensuring speed and reliability—whether a user was messaging from the latest iPhone in a major American city, or BlackBerrys and Nokia feature phones operating in the most remote places. “We were trying to hit every user, everywhere, on every platform,” Chris Peiffer, one of WhatsApp’s first hires and who worked at Stanford University with Koum, told Rest of World. He recalled hiking to a cellular dead zone in the hills near Mountain View with a Nokia C3 to test WhatsApp’s durability with limited bandwidth.

The third Rest of World article says that in conflict zones, “the app’s compression algorithm, which in part allows it to function in areas with poor connectivity, makes it particularly useful.” It describes a journalist in Gaza connecting to the outer edges of Egyptian or Israeli networks:

She climbed to exposed and dangerous high points in search of a phone signal. The connection was typically too weak to connect for email, but WhatsApp functioned. Thanks to WhatsApp’s compression algorithms, she was able to send voice notes, videos, and documents to her colleagues in London. 

However, it’s not all good news. WhatsApp can also be used to inflame tensions and incite violence. In South Sudan, it has been used to plan and coordinate attacks and ambushes, and WhatsApp groups have been connected with revenge killings in Somalia. 

For compelling insights into how a service with a simple initial objective has enabled far-reaching social change, the series is well worth reading. 

Three Reasons to Be Cheerful This Week:

1. Android tracker alerts: Google has announced new features in Android that will protect users from unwanted bluetooth tracking. One feature provides automatic notifications to users if an unfamiliar bluetooth tracker is moving with their device and (if the tracker is compatible with Google’s Find My Device) can be used to pinpoint the tracker’s location. 

2. 792 online scammers arrested: Nigerian authorities arrested 792(!) people suspected of being involved in online investment or romance scams. The suspects operated from a seven-story building in Lagos. 

3. Using lawsuits to improve security: Ars Technica reports on whistleblowers using the United States’s False Claims Act to earn big paydays by suing companies that are not meeting security obligations spelled out in federal government contracts. Encouraging these lawsuits is a deliberate government strategy to discourage negligent security practices.   

Shorts

EU Will Investigate TikTok Over Romanian Election Interference

The European Union has announced a formal investigation into TikTok over its handling of content related to the first round of voting in the recent Romanian presidential election. We described this alleged interference in last week’s edition. European Commission President Ursula von der Leyen said, “Following serious indications that foreign actors interfered in the Romanian presidential elections by using TikTok, we are now thoroughly investigating whether TikTok has violated the Digital Services Act by failing to tackle such risks.”  

Although this is a huge deal, it’s not the most immediate threat that TikTok has to deal with. TikTok CEO Shou Zi Chew met with President-elect Donald Trump this week as the company tries to head off a law that will force Chinese parent company ByteDance to sell the platform or face a ban in the United States. 

EU Sanctions for Russian Shenanigans

The European Council has announced sanctions against 16 individuals involved in “Russia’s destabilising [hybrid] activities.” The sanctions target people involved in Russian propaganda as well as several GRU (Russian military intelligence) officers, among others. The Record has further coverage. 

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about the evolution of Russian cyber operations during its invasion of Ukraine. 

From Risky Biz News

CISA sent 2,100+ pre-ransomware alerts this year: The U.S. Cybersecurity and Infrastructure Security Agency has sent out 2,131 pre-ransomware activity notifications to U.S. organizations throughout the year. The notifications were sent via a program named the Pre-Ransomware Notification Initiative (PRNI), which CISA launched in March 2023. The program uses tips received from the private sector to detect early ransomware activity and notify potential targets before their data is stolen or encrypted.

Germany’s BSI sinkholes BADBOX malware traffic: Germany’s cybersecurity agency has sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group. The malware was first spotted in October 2023 by Human Security, a company that specializes in detecting advertising fraud. The BADBOX group assembled a botnet of over 280,000 systems by hiding its malware in malicious Android and iOS apps and inside the firmware of Android TV streaming boxes. Human Security said the BADBOX group operated out of China and most likely had access to hardware supply chains where its members could deploy the malicious firmware on streaming boxes.

Secret ransomware campaign targeted DrayTek routers for a year: Threat actors have secretly abused a suspected zero-day in DrayTek routers since August 2023 to hack devices, steal passwords, and then deploy ransomware on connected networks. According to a joint report from Forescout and PRODAFT, the attacks were carried out by a threat actor known as Monstrous Mantis—believed to be linked to the Ragnar Locker ransomware group. The attacker used the zero-day to extract and crack the passwords of DrayTek Vigor routers and then hand out the credentials to selected collaborators.