The US has to adapt its own policies to counter the push, warns former DocuSign CEO and Under Secretary of State Keith Krach.

Despite the block on information flowing from China, stories about the nation's surveillance state have leaked out. From social credit scores and online censorship to electronic billboards that display a citizen's "violations" like jaywalking, surveillance is a part of everyday life for millions of Chinese people.

China is increasingly exporting not only its technology but the authoritarian values that underpin them, and this spread must be contained before it moves through more of the world, says Keith Krach, who served as DocuSign CEO from 2009 to 2019 before becoming Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration in June 2019.

Krach, who continues to advise the administration of President Joe Biden and leads the Krach Institute for Tech Diplomacy at Purdue University, was nominated for the 2022 Nobel Peace Prize for his work on China. He recently spoke with Dark Reading about China's tech-centered authoritarianism, how the country is embedding its values in its exports, and what the US must do with its own tech policies to keep a moral high ground.

This interview has been condensed for length and clarity.

    

Source: Keith Krach

**Q: You've dedicated much of your career to fighting against "techno-authoritarianism." How do you define that term? What activities rise to the level of authoritarianism?**

**Krach:** Our rivals are playing the long game in what's a four-dimensional game of military, economic, diplomatic, and cultural chess — and the crossroads, the main battleground, is technology. It all intersects there. So here's what techno-authoritarianism is in the simplest \[terms\]: It is using technology for bad instead of for good. That could be a surveillance state, dangerous military weapons, or whatever else is done for bad.

You can think of it as sort of the opposite of what we \[in the United States\] honor as a nation and in the free world at large: respecting things like the rule of law, property of all kinds, nations' sovereignty, human rights, the environment, the press. Those good principles of collaboration, like transparency, reciprocity, accountability — these are things that we honor.

But these are things that China, Russia, the authoritarians don't live by. Instead they \[rule by\] a power principle: cooperation, coercion, concealment, intimidation, retaliation, retribution. And what \[affects us all\] is that when someone doesn't play by the rules, it's no longer a free market; it's a fool's market. For example, let's say you're a Silicon Valley CEO, and I'm a Chinese company. I can steal your intellectual property, I don't have to be transparent, I can use slave labor, I can use cheap energy from big coal-fired power plants.

I don't have to obey the law — or to be \[more precise\], I _am_ the law. How can you possibly compete? I'll beat you every time. So we've got to do something about it.

**Q: You've been particularly vocal about techno-authoritarianism in China — to the extent that you can no longer visit or do business there after officials sanctioned you and your family** **\[among other former Trump officials\] last year.**

**Can you provide context on the extent of Chinese surveillance? It's especially present in Xinjiang, where authorities closely track the habits and activities of millions of Uyghurs, a Muslim minority group in the city. The US is among several countries to accuse China of committing genocide** **of the Uyghurs, but surveillance happens all over the country in varying degrees.**

**Krach:** Oh, it's literally George Orwell's _1984_. They use technology to intimidate, and there is no privacy anymore. To the extent that in Beijing and a lot of the big cities, they have these big TV-like electronic billboards where they show, for example, if somebody jaywalks crossing the street. They'll flash your picture up there, they'll show how many violations they have, all this kind of personal stuff. They know exactly where people are doing, what people are spending, I mean ... everything. They assign people social credit scores based on their behavior and decide what you can and can't do.

It creates a paranoid society where everybody feels watched, and nobody trusts anyone — because there's also incentives for turning people in for violations. It's just a nasty, nasty way to live.

**Q: Chinese authorities, of course, say this surveillance is for the good of the people. They're leveraging technology in all sorts of new projects, including so-called safe cities** **underpinned by \[Chinese telecom\] Huawei that harness all kinds of data about people's activities — ostensibly created to be like what we call smart cities here, helping get ambulances to car accidents faster and assisting police in stopping crime. But in actuality, according to groups like the bipartisan Center for Strategic and International Studies, they're tracking facial recognition and license plate data, monitoring social media, and stomping out dissent.**

**Krach:** These wired cities are a Trojan horse, the same way that what they're doing in Xinjiang is a proving ground. It's beta testing for all this stuff to roll out in China and to export elsewhere. So Xinjiang is literally a glance into the future.

China is essentially exporting a "dictatorship-in-a-box" when they send their surveillance tools \[overseas\]. These are tools that the worst of dictators could have only dreamed up. And that's the stuff that enables genocide: the whole surveillance state, literally thought control. I call it China's Great One-Way Firewall, where all the data comes in for their own use. Propaganda goes out, but the truth does not come in. That's why \[China's President\] Xi \[Jinping\] is just obsessed with technology. His biggest obsession is the semiconductor business because he knows that's the foundation of everything.

**Q: Several countries, including Kyrgyzstan and Ecuador, have adopted Chinese-made surveillance tech. That's in part because China has worked to offer less-funded governments functional and more affordable semiconductors and 5G technologies. When China exports this technology, it seems that in many cases they're exporting the values behind them as well. How can that spread of authoritarianism be stopped?**  

**Krach:** I'll take you inside what happened with 5G for an example. You heard about the 5G race all the time a couple of years ago because it looked like China's most important \[tech\] company Huawei was going to run the table for 5G. They announced 91 5G deals, 47 in Europe. So \[in the US government\] we're hitting the panic button. 5G controls are much more than cell phones: It's utility grids, Internet of Things, people's personal data, the government's more precious secrets.

Right around February 2020 \[when I was Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration\], it seemed US efforts to stop it were failing. So our team got the authority to make a last-ditch effort to defeat their 5G master plan. We combined our team with some of the greatest Foreign Service officers, and it was like magic with that diversity of thought.

What we heard was that \[US\] government guys going around the world, saying, "Don't buy Huawei." And I go, "That's the dumbest thing I've ever heard." If I'm a CEO, I'd say to my chief of staff, "Hey, let's check out Huawei. They must have something good." So I said, "Why don't we treat the countries, the telcos, like customers? The customer's always right, and to get a customer, you must have a value proposition. Why should they partner with us if they don't get anything out of it?"

In my first 60 bilateral \[meetings\] I had as under secretary, I asked all these governments, "How's your relationship with China?" They'd say, "Oh, they're a really important trading partner." And then they'd look both ways, as if someone was there, and add, "But we don't trust them." That rang bells in my head. Because trust is the basis of every relationship — personal, business, or otherwise. You buy from people you trust. You partner with people you trust. So we went around to the CEOs of these foreign telcos and said, "Do you want to give your government's and citizens' data to a country that requires any company to turn information over to the Chinese Communist Party? Or do you want to partner with someone you trust?"

We created a digital standard of trust, called the Trust Principle, built on principles like respect for human rights and collaboration. And that was the basis for what we did with the Clean Network, a group of 60 countries that represent two-thirds of the world's global GDP, \[along with\] 200 telcos and a whole host of companies that were committed to building a 5G system completely free of bad actors and dedicated to fair principles.

It's not an anti-China thing. It's your choice: You can either be locked out of 70% of the market, or you can change the way that you do business. That moral high ground is key. In one move, we took those things that they were using against us and weaponized the very principles that protect our freedoms. In less than a year, those 91 \[Huawei\] 5G deals dropped by \[dozens and dozens\].

    

Source: Keith Krach

**Q. I want to turn the lens inward now because ideas like the Trust Principle and the Clean Network depend on maintaining that moral high ground — and they're built on essentially what we think of as fundamental American ideals — but in reality, the US has participated in surveillance itself. And in the private sector, plenty of US tech companies have had their own issues with data privacy and security, with many of their businesses based on supplying free services and monetizing the data their users provide. Can we have a leg to stand on unless we reform our own practices here in the States?**

**Krach:** It's an interesting and important question. Most people have never heard of this position, but I was the US/EU ombudsman for the data privacy shield. Now what that meant was after the Snowden episode, the Europeans go, "You know, we don't want you guys to do it again." And so they came up with a one-way data privacy shield: From a governance standpoint, if the United States snooped on a European and the Europeans found out about it, then they had a mechanism where they take it to the EU, they'd sort it out, and then it would come directly to me. There was nobody in the executive branch overseeing me on this, to be honest — it was straight with the judicial branch, and those guys were serious. "We're gonna prosecute come hell or high water. Patriotism thrown out the door; you've got to do what's right." And that was an interesting thing.

But the first thing I thought was, why isn't this reciprocal? The No. 1 thing \[I said\] when I met with the Europeans was, "Why is this a one-way thing, but you guys are shielded?" And then I'd say, "Oh, hey, how's your EU/China data privacy shield going? You have one, right?" And they're like, "Uh ... no. You know, China will be China."

Anyway, from a company standpoint, when people think of US tech companies, they think of the social and search companies like Google and Facebook. They're important companies, sure, but that's a small fraction of it. In my view, the rules of the road have not fully been written yet on data, privacy, security, data flows. It's going to take not only all three branches of our government but also the private sector and international players. If I were \[a tech CEO\], I would get out in front of this one because you can see it's going to be coming down. Things like Elon Musk buying Twitter probably would be a catalyst for that.

**Q: What, then, does the US need to do? It sounds like you think there's a lot more coming pretty soon down the pipe in terms of regulatory and compliance.**

**Krach:** Yeah, yeah. And I think it needs to be clear. But also, US companies were getting robbed blind and locked out of the Chinese market. So there's a squeeze play there, and then \[on the government level\] the EU was coming up with these regulations that just target US companies, so there's another squeeze play. But here again, it all boils down to one word: trust. You have to be able to trust the people you partner with, and you have to be trusted yourself.

**Q: As we look at how technology is evolving in general — Web3, the metaverse — there's so much emerging. Which security issues do you think should be top of mind from a policy standpoint?**

**Krach:** The first one is protect from the enemy. On _60 Minutes_, FBI Director \[Christopher\] Wray talked at length about China's cyber threat and threat to intellectual property. Because their attitude is, if it's out there and we can take it, it's your fault for not protecting it. It's a wholly different value system. 

So the second piece is educating everyone about that, especially at the corporate board level. I just wrote an article for Fortune about how companies need to have their China contingency plan. \[Business leaders\] need to ask themselves, "What is our policy to make sure that we're trusted by our customers, our shareholders, our suppliers, our partners, all the governments we do business with?"

There's some things the government can help out on. For example, we could install something like the no-bribery law, in which American companies that go overseas and are asked for bribes have the law to fall back on. They can say, "No can do, it's against the law. I'll go to jail, sorry." Why don't we make a law that it's illegal to transfer technology to the Chinese? They have that divide-and-conquer system: "You guys won't give it to me? I'll go to your competitor." So there's some things that we can do along those lines, understanding their values and how we can weaponize ours. But again here, it takes collaboration across government and the private sector. It's critical that we figure it out.

Q&A: How China Is Exporting Tech-Based Authoritarianism Across the World

Researchers use code, Bitcoin transactions to link ransomware attacks on banks to DPRK-sponsored actors.

A new ransomware strain called VHD has been traced to North Korean state actor APT38 by a team of researchers using detailed code analysis and following a Bitcoin trail. 

The Democratic People's Republic of Korea (DPRK) has used ransomware for several years to raise money for state coffers, including the February 2016 Bangladesh bank heist in which attackers tried to use the SWIFT banking system to steal almost US$1 billion, explains Trellix researcher Christiaan Beek in a new blog post. 

Beek and a team of fellow cybersecurity analysts linked North Korea's cyber army to the VHD ransomware, which they said has been used in ransomware attacks on global financial systems and cryptocurrency exchanges since March 2020. The analysts compared known DPRK code with VHD ransomware and found stark similarities, the post states. Bitcoin transactions overlapping between known DPRK-sponsored cybercrime groups were also reported by the team. 

"We suspect the ransomware families described in this blog are part of more organized attacks," Beek adds. "Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Ransomware Variant Linked to North Korean Cyber Army

A company's response to a breach is more important than almost anything else. But what constitutes a "good" response following a security incident? (Part 2 of a series.)

_Read Part 1 of this series exploring how to react after a serious security incident._

Security vendors know their products have blind spots. They know that there are areas of the attack surface they cannot protect. Despite this, vendors continue to make promises on which they cannot deliver. That's why companies large and small continue to experience intrusions, incidents, and breaches despite being "protected" by their security vendors. Does this lead us to perpetual defeat in the depths of abysmal despair? Not quite.

In all seriousness, it does call us to reframe our thought process around security and privacy failures. It means thinking about "success" not as creating an incident-free utopia but, rather, creating an organization that can learn from those scary moments, dusting off our knees, and trudging forward even wiser and stronger.

I've said this before but bears repeating: **_Breaches can happen to anyone_**. That's why a company's _response_ to a breach is more important than almost anything else. In fact, a company's response is truly what sets it apart from other brands even after a relatively minor security incident.

So, what constitutes a "good" response following a security incident? At a high level, it's a deliberate, calculated, and well-articulated plan that communicates key details, developed by several key players who are all working toward a common goal.

**Finding the Right Words  
**In security incident response planning, both what you say and how you say it matters. In essence, a security incident response plan puts the right resources in the right place so that challenges such as data loss and reputational damage are kept to a minimum. Security teams utilize an incident response plan to identify, eliminate, and recover from a threat quickly and uniformly.

Incident response plans will look different from company to company, but they should address and provide a structured process for preparation, identification, containment, eradication, recovery, and lessons learned. A response plan is only valuable when it's created ahead of time, of course. So, if you're reading this and your organization doesn't have an incident response plan in place … **stop reading and create one now.**

Or, if you're not the person responsible for building one, send your IT and security leaders an email like the one below:

**_Subject Line:_** Do We Have An _Incident Response Plan?_

_**Body of Email:** Been reading a lot about breaches and how they can happen to anyone. Just curious, do we have an IR plan in place? How can my team help?_

Along the same lines, a breach notification letter is necessary whenever sensitive customer information is involved. The breach notification letter needs to meet different regulatory requirements depending on the industry. Get clear about what you need to disclose and what you shouldn't disclose because it would give too much useful information to your adversaries far in advance.

The tone used to communicate a response is also critical. Executives should show they care for their employees and their customers and own up to their mistakes. Even if the breach was caused by a third party they picked, companies can't ignore, cover up, or deflect blame once they're under fire.

I get it. A breach is embarrassing. Asking customers to change their passwords is like a virtual walk of shame. No one wants to be in that position, especially when every word and decision is sure to be scrutinized and criticized by many. Security incident response, and certainly breach response, goes far beyond technology; it's a pressure test of culture and security leadership. Companies with good culture — one that embodies true collaboration and solidarity — are much more likely to suffer minimal internal damage after a security incident.

Security team members must evaluate the ongoing work required and hold those needed accountable, but it is essential to act as one team rather than attack one another. Security incidents rarely have a singular point of failure, and everyone must come together — from the CISO to the security analyst — to resolve the issue.

**Who Is Going to Help You Say It?  
**There are several departments — outsourced and internal — that should be sitting around the proverbial incident response table. While they will all play different roles, they're all necessary to achieve the end goal: not making a misstep when it matters most. Legal, finance, communications, and security teams are integral during these moments.

Many companies choose to appoint an incident director or team leader who will coordinate incident response activity and move things along at a desirable pace. Their priorities are to make sure that all of the professionals involved are communicating with each other and remain focused on shared goal(s). There also should be a lead investigator who is responsible for collecting and analyzing evidence and determining the initial entry point of the malicious activity. The lead investigator will work with the security team and advise on what details they think will be valuable to customers in combating future security incidents. Acknowledge there will be some things influenced by outside parties they cannot control (even the National Security Agency or FBI at times).

There also should be a concerted communications effort that focuses on messaging to all audiences inside and outside of the company. Breaches can often be a PR nightmare if the people speaking to the media or replying with comments on social media aren't prepared with the right information and what I call "red and green phrases" or rules. Often, communications teams don't know much about IT security, so to avoid having them say things that endanger the investigation or reveal information you don't want revealed, it's wise to put together a list of red and green phrases — red phrases should be avoided; green ones are preferred. You don't want spokespeople revealing too much or an incorrect detail about how the breach occurred and why you were caught flat-footed. You want them to tell the truth and protect the mission and identity of the company but in a way that doesn't reflect poorly on it.

Understand the limitations of your current investments, but more importantly be honest on your ability to detect, disrupt, respond, and recover. Much of this success goes beyond software and depends more on what you've built and how you've trained ahead of time.

_Stay tuned for Part 3, which will provide action advice on how to go forward once stuff hits the fan._

Security Stuff Happens: What Will the Public Hear When You Say You've Been Breached?

Companies see AI-powered cybersecurity tools and systems as the future, but at present nearly 90% of them say they face significant hurdles in making use of them.

Companies are quickly adopting cybersecurity products and systems that incorporate artificial intelligence (AI) and machine learning, but the technology comes with significant challenges, and it can't replace human analysts, experts say.

In a Wakefield Research survey published this week, for example, almost half of IT security professionals (46%) said their AI-based systems create too many false positives to handle, 44% complained that critical events are not properly flagged, and 41% do not know what to do with AI outputs. In total, 89% of companies reported challenges with cybersecurity solutions that claimed to have AI capabilities.  

    

Source: Devo

Not all AI-based projects are created equal, as some technology is more mature, says Gunter Ollmann, chief security officer at Devo, which sponsored the survey.

"When they talk about rolling out AI for cybersecurity ... those are the projects that are commonly failing," he says. "In particular, NLP \[natural language processing\] is being dangled as a technology that can do cool things for your security and as a way to manage your attack surface area, but it has not really been successful."

**The Promised Benefits of AI for Cybersecurity  
**Incorporating machine-learning and AI features into cybersecurity products has been widely heralded as a way for companies to gain more visibility into attacks on their data and infrastructure, and as a way to respond more quickly. In December, for example, business consultancy Deloitte called the trend toward more AI in cybersecurity to be a way of taming the complexities in today's business infrastructure, which includes more devices, more cloud services, and more employees working from home.

"Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance," the consultancy stated.  

The most mature uses of machine learning in cybersecurity products are for the detection of threats on the endpoint and user and entity behavior analytics (UEBA) to pinpoint risky users and compromised devices, says Allie Mellen, security and risk analyst for Forrester Research, a business intelligence firm.

**AI Security Challenges Abound**  
While finding and classifying IT assets topped the list of uses of AI-based cybersecurity — with 79% of companies using the technology for that application — it also topped the list of challenges, with 53% of respondents considering the use case problematic, according to Wakefield Research's survey of 200 IT security professionals.

About a third of companies had challenges in correctly deploying the systems, and a quarter criticized the vendors for not updating the product enough to be valuable.

There are definitely differences in opinions between business executives, who largely consider AI to be a perfect solution, and security analysts on the ground, who have to deal with the day-to-day reality, says Devo's Ollmann.

"In the trenches, the AI part is not fulfilling the expectations and the hopes of better triaging, and in the meantime, the AI that is being used to detect threats is working almost too well," he says. "We see the net volume of alerts and incidents that are making it into the SOC analysts hands is continuing to increase, while the capacity to investigate and close those cases has remained static."

The continuing challenges that come with AI features mean that companies still do not trust the technology. A majority of companies (57%) are relying on AI features more or much more than they should, compared with only 14% who do not use AI enough, according to respondents to the survey.

In addition, few security teams have turned on automated response, partly because of this lack of trust, but also because automated response requires a tighter integration between products that just is not there yet, says Ollman.

**Augmentation, Not Replacement  
**Another dimension of the AI challenge is a lack of clarity on its role vis a vis security staff. While AI applications can deliver real benefits, it's important to understand that they augment the human analyst in the security operations center (SOC) rather than replace them, Forrester's Mellen stresses. That's a conclusion many companies likely do not want to hear, given the problems many have in hiring knowledgeable cybersecurity professionals.

"The most important resource that we have are the people that we have working today in the SOC," Mellen says. "AI helps, of course, for detection ... but we have to recognize that it is not going to be a complete game changer for security. The way that we use machine learning today is not even at the point where it would be able to take over most of the responsibilities of the human analyst."

Devo's Ollman also cautioned that organizations need to have realistic expectations for what AI can and cannot do.  

"I think there is the sci-fi view that AI will be a superhuman that operates at 1,000 times faster than the best human alive; leave that for the sci-fi books," he says. "Augmentation is about how do I make the human faster and more efficient in what they are doing, and also closing skills gaps that they have."

The challenges all suggest that trained human analysts, with expertise in machine learning and AI, are needed to make best use of AI-augmented cybersecurity products. And AI systems that can explain their conclusions will be necessary in the future to augment human analysts and retain trust, Ollmann says.

AI for Cybersecurity Shimmers With Promise, but Challenges Abound

The venerable film franchise shows us how to take threats in STRIDE.

Over years of teaching threat modeling — including the STRIDE mnemonic, which I'll describe here — I've found that people often get stuck when trying to answer "what can go wrong?" My favorite way to help them clear these hurdles is with stories from a long time ago in a galaxy far, far away.

_Star Wars_ offers an accessible and expansive set of examples. It lets us focus on fun rather than fear because fun leads to engagement. Engagement leads to understanding. And understanding leads to better threat modeling.

From a certain point of view, _Star Wars: A New Hope_ is a tutorial in the STRIDE threats. Let's start with the first of those threats, "**Spoofing**."

How does R2-D2 know who Obi-Wan Kenobi is? How can he decide to play the recording of Princess Leia for Obi-Wan, but not Luke? These questions allow us to go investigate concepts of identifiers and authenticity while making them tangible and relatable.

**Questions of Authenticity: "Who Is This? What Is Your Operating Number?"  
**Authenticity first requires an identifier: a statement of who you are. This might be a name ("Han Solo") or a role ("Stormtrooper"). Either might be true or false. Given the risk of impersonation, confusion, or lies, we look for authentication factors, such as an ID, a password, or a uniform. Then we evaluate if the identifier is authentic and grant (or deny) authorization.

There are many forms of authentication to consider, depending on if the authentication is _by_ a person or a computer and _to_ a person or a computer. This gives us a way to look at spoofing in different scenarios, including the offensive mechanisms used and the defensive protections.

**Human Identifiers: "TK421, Do You Copy?"  
**People are exceptionally good at identifying people they know well, even after a long time without seeing them. Not recognizing someone is awkward because we expect to be recognized. Recognizing those you're close to: friends and family, or even co-workers, is implicit and automatic. We don't need authenticators.

But outside that circle, it gets rapidly harder. We use a lot of implicit identifiers: uniforms, knowledge, patterns of speech, and some people even use explicit ones, asking to see your identification.

Most of the heroes pretend to be someone other than themselves. Princess Leia pretends to not be a rebel leader after Darth Vader captures her ship. Old Ben pretends not to be Obi-Wan Kenobi, while lying to Luke about his father Anakin being killed by Darth Vader. Luke and Han pretend to be Stormtroopers.

**Technical Identifiers: "I Am C-3PO, Human Cyborg Relations"**  
Many types of technical identifiers exist for services, machines, files, processes, and users. Some are designed for humans, such as "threatsbook.com," others are designed for computers, such as 172.18.19.20. And of course, there's tools to map between them.

It's hard to say when the first spoofed login screen was created, but it was probably around the time teletypes were replaced with electronic terminals. Someone could easily write a program that worked like this:

*   LOGIN: Accept a name and password.
*   Store them.
*   Display "Login incorrect" and logout, allowing the real login program to run.

Authenticating to remote computers only made this worse with the same pattern of false login prompts — now labeled phishing.

_Star Wars_ also gives us examples of how people and technology interact to authenticate one another. R2-D2 authenticates Obi-Wan Kenobi before showing him the hologram of Leia. R2-D2 is also able to spoof an imperial droid when he plugs into the Death Star to find the main controls for the tractor beam, identify where Leia is being held, and shut down all the garbage smashers on the main detention level.

Clearly the Empire has an authentication problem.

**A Galaxy's Worth of Case Studies  
**Watching Obi-Wan can teach you much about cybersecurity:

*   He **Tampers** with a power converter
*   He **Repudiates** claims about Luke's father
*   He **Exceeds** **his authority** in telling Stormtroopers that "these aren't the droids you're looking for."

Right here, we have most of the elements of the STRIDE mnemonic. There's also information disclosure, and of course, from the crawl through the destruction of the first Death Star, _Star Wars_ is the story of **Information** disclosure (the I in STRIDE). That leaves only **Denial-of-service**, like blowing up a shield generator on a forest moon of Endor.

Enjoyment and stories are both powerful teaching aids. I've been using _Star Wars_ as a hook to get people excited and to give them bits that help them remember for years now. Many engineers want to have a better handle on the question "what can go wrong with this code I'm working on?" They don't want to write insecure code, and they don't want to be exploit writers or security operators.

And maybe they don’t even want to learn about something that sounds abstract, like threat _modeling_. That’s fine – we can be concrete and have fun learning about the _threats_ that motivate our work.

That's why I'm really excited to go in depth and take these lessons to the next level with my next book, _Threats: What Every Engineer Should Learn from Star Wars_, coming this fall. For all the fun, we need engineers to know what threats to consider, and what they mean. If we want people to build more secure systems ... it's our only hope!

What Star Wars Teaches Us About Threats

AutoRABIT intends to direct the funding toward growth initiatives and product development.

SAN FRANCISCO, May 4, 2022 /PRNewswire/ -- AutoRABIT, the leading Salesforce DevSecOps platform provider for regulated industries, today announced $26M in new investment from existing investor Full In Partners, a premier growth equity firm.

Given the surge in cybersecurity threats—and recommendations from the White House to harden infrastructure and tighten security policies—this funding comes at a time of increased demand for DevSecOps solutions and amid a period of aggressive growth achieved by the company. AutoRABIT intends to direct the funding toward growth initiatives and product development focused on continuing to solve the real security and development challenges faced by regulated companies using Salesforce.

"The capital we've raised with this new funding round will enable us to continue developing product capabilities to meet the security and regulatory compliance needs of our customers, while enabling them to develop faster and release more features to their own customers and stakeholders," said Meredith Bell, CEO of AutoRABIT. "As AutoRABIT continues to grow, this investment will enable us to deliver even more value to our customers through an enhanced set of DevSecOps tools that will complement our existing suite of technologies."

As Salesforce persists as the largest CRM provider in the world with market share continuing to climb, the challenges faced by its customers continue to compound—because Salesforce was built to be a CRM, not a development platform.

"Since our initial investment in February 2020, we've been thrilled to be an active partner of AutoRABIT as they build a great organization and momentum for growth," said Maurizio de Franciscis, Managing Director and Head of Portfolio Success at Full In. "Cybersecurity is now more important than ever, and AutoRABIT's DevSecOps platform is enabling Salesforce development teams in regulated industries to ship digital products safely and rapidly."

**About Full In Partners  
**Founded in 2019, Full In Partners is a premier woman-led growth equity firm based in New York City. The firm is focused on backing high-velocity, high-efficiency software and internet businesses while building better outcomes through proactive operational and strategic support. To learn more about Full In Partners, please visit: https://fullinpartners.com.

**About AutoRABIT:  
**AutoRABIT's DevSecOps Platform enables Salesforce development teams to improve the quality of their releases at scale through a suite of CI/CD tools that enable teams to configure, build, test, and manage development environments and deployments. The platform also supports data protection and optimization through a suite of Salesforce DataOps tools that enable development teams to retrieve greater insights from their own data while ensuring robust backup and protection. The addition of CodeScan's code analysis technology adds a code security layer to the existing platform. Visit https://www.autorabit.com for more information.

AutoRABIT Secures $26M in Series B Investment from Full In Partners to Expand DevSecOps Platform

Also adds support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage.

WALTHAM, Mass. , May 4, 2022 /PRNewswire/ -- Uptycs, provider of the first cloud-native security analytics platform enabling cloud and endpoint security from a common solution, announced today new cloud infrastructure entitlement management (CIEM) capabilities that strengthen its cloud security posture management (CSPM) offering. In addition, Uptycs announced CSPM support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage. These new capabilities provide Security and Governance, Risk, and Compliance teams with continuous monitoring of cloud services, identities, and entitlements so they can better reduce their cloud risk.

"Disparate cloud security solutions only deliver pieces of the picture, leaving Security teams unaware of new risks in a fast-changing cloud environment," says Ganesh Pai, CEO and co-founder of Uptycs. "As organizations scale out their cloud footprints—including across multiple public cloud providers—they need new types of security controls, especially in the realm of cloud identity and entitlement. Uptycs provides a unified platform for CSPM and CWPP that gives Security teams a holistic and fully integrated platform for securing their cloud resources, workloads, and infrastructure."

As they add cloud accounts, resources, and infrastructure, the number of user and machine identities grows exponentially. The majority of these identities have more access than they need to do their jobs, posing a serious risk if an attacker is able to steal credentials. According to Gartner, more than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted.1 In addition, Gartner estimates that "by 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020."2

With new cloud identity and entitlement analytics capabilities in Uptycs, Security and Governance teams can solve these challenges:

*   **Monitor least privilege -** Continuously monitoring cloud infrastructure to spot identity misconfiguration and permissions gaps so they can move toward least-privilege access, minimizing the damage that can be caused by privilege escalation.
*   **Measure identity risk and governance posture -** Measuring the overall identity risk posture for cloud accounts based on factors such as root account configuration, credentials rotation, possibility of privilege escalation, and credential exposure.
*   **Harden cloud IAM policies -** Continuously analyzing cloud IAM policies and creating risk profiles so that teams can prioritize their efforts on tuning the most risky policies.
*   **Map identities and relationships -** Visually map relationships across accounts, rank connections based on riskiness, and show the impact a user can have on an asset or critical service.
*   **Detect and investigate identity misuse -** Show top cloud IAM principals and services denied based on specific time windows, enabling users to drill down into trends for a specific user/service and spot any anomalies from the regions based on historical data.

The cloud identity and entitlement analytics capabilities are generally available today for AWS as an add-on for the Uptycs CSPM offering. Uptycs' broader CSPM support for GCP and Azure (inventory, audit, compliance, and threat detection) is generally available.

1 Gartner, "Managing Privileged Access in Cloud Infrastructure," Paul Mezzera, December 7, 2021

2 Gartner, "Innovation Insight for Cloud Infrastructure Entitlement Management, Henrique Teixeira, Michael Kelley, Abhyuday Data, June 15, 2021

**About Uptycs  
**Uptycs provides the first cloud-native security analytics platform that enables endpoint and cloud security from a single platform. The solution provides a unique telemetry-powered approach to address multiple use cases—including Extended Detection & Response (XDR), Cloud Workload Protection (CWPP), and Cloud Security Posture Management (CSPM). Uptycs enables security professionals to quickly prioritize, investigate, and respond to potential threats across a company's entire attack surface. A free trial of Uptycs can be requested at www.uptycs.com/free-trial.

Uptycs Announces New Cloud Identity and Entitlement Management (CIEM) Capabilities

Six boxes of paper documents were removed from the facility without authorization in early March.

SAN BERNARDINO, Calif., May 3, 2022 /PRNewswire/ -- Social Action Community Health System ("SAC Health") is providing notice of a recent event that may affect the privacy of certain patient information. This notification provides information about the event, SAC Health's response to it, and resources available to individuals to help protect their information, should they feel it necessary to do so.

**_What Happened?_** On March 4, 2022, SAC Health became aware of a break-in to an off-site storage facility where certain limited patient records were housed. Six boxes of paper documents were removed from the facility without authorization. We immediately began working with local authorities to determine the nature and scope of this event and launched a thorough investigation into this matter. SAC Health was able to confirm that certain limited patient documents were impacted by this theft.

On April 22, 2022, SAC Health determined that the impacted files related to certain patients served by SAC Health in 1997 and between 2006 and 2020. On May 3, 2022, SAC Health began notifying the potentially impacted population.

**_What Information Was Involved?_** SAC Health's analysis revealed that the types of information held by SAC Health and potentially in the stolen storage containers _may_ include name, address, date of birth, and diagnosis codes.

**_How Will Individuals Know If They Are Affected By This Incident_****?** Based on the nature of access to the information, SAC Health concluded that the extent of the access is limited to impacted files related to certain patients served by SAC in 1997 and between 2006 and 2020. Out of an abundance of caution, SAC Health is sending notice to all individuals included in that population.

**_What Is SAC Health Doing?_** Upon learning of this incident, SAC Health moved quickly to investigate and respond. SAC Health is assessing all policies and procedures related to the storage of paper data. Although SAC Health is unaware of any actual or attempted misuse of information as a result of this incident, SAC Health is offering affected individuals access to complimentary credit monitoring through Equifax. In addition, SAC Health is providing notice to appropriate regulatory authorities

**_Has the information been misused_**_?_ At this time, there is **no** evidence that there has been any use, or attempted use of the information potentially exposed in this incident.

**_What You Can Do._** SAC Health encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report, place a fraud alert, or a security freeze. Contact information for the credit bureaus is below:

**Experian**

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com/fraud/

form-minor-child.html

**TransUnion**

P.O. Box 2000

Chester, PA 19016

1-888-909-8872

www.transunion.com/credit-disputes/

child-identity-theft-inquiry-form

**Equifax**

P.O. Box 105788

Atlanta, GA 30348-5788

1-800-685-1111

https://www.equifax.com/person...

request-child-credit-report/

Individuals can further educate themselves regarding identity theft, fraud alerts, security freezes, and steps to protect their information by contacting the Federal Trade Commission or the California Attorney General. Instances of known or suspected identity theft should be reported to law enforcement and the state attorney general.

**_For More Information._** SAC Health regrets any concern this incident may cause. If individuals have questions about the incident, they may contact SAC Health's toll-free dedicated assistance line at 877-839-2553. This toll-free line is available Monday – Friday from 6:00 am to 6:00 pm PDT. Individuals may also write to SAC Health at 250 S. G Street, San Bernardino, CA 92410.

SAC Health System Impacted By Security Incident

The security research partnership will focus on developing new techniques and releasing them as open source.

Aryaka and CyLab, Carnegie Mellon University’s Security and Privacy Institute, announced a strategic partnership to research new threat mitigation techniques and develop new enterprise networking and security solutions.

Under the partnership, Aryaka will provide funding and industry experts to assist more than 100 faculty members and 100 graduate students with research to identify, prioritize, and develop threat mitigation techniques. The hope is to make these techniques available as open source to help enterprises and security vendors to better defend against cyberattacks, CyLab’s Daniel Tkacik wrote.

The modern IT landscape is very different from when users were in offices and applications were in data centers, said Renuka Nadkarni, Aryaka’s chief product officer. Applications are now anywhere and users can access those applications regardless of their geographic location. Security needs to be reconsidered in the case of the application and not the network.

Aryaka is also the founding sponsor of CyLab’s Future Enterprise Security Initiative, a multi-disciplinary approach to making complex security solutions available and accessible. The initiative’s mission is to rethink “security across enterprise ecosystems through innovations in artificial intelligence, computer science, engineering, and human factors research,” Tkacik wrote.

Founded in 2003, CyLab is a public/private collaborative computer security and privacy research institute and is one of the largest security research centers in the US. Aryaka decided to partner with CyLab because of the university’s work in artificial intelligence and machine learning as well as in other fields such as humanities, psychology, and policy, said David Ginsburg, Aaryaka’s VP of product and solutions marketing. A multi-disciplinary approach gives researchers the opportunity to look at problems not just from the technology point of view, but to also consider attacker motivations and intent.

Aryaka will guide research topics, offer industry expertise, provide data sets for building AI models, and give feedback on techniques being developed.

Aryaka, Carnegie Mellon’s CyLab to Research New Threat Mitigation Techniques

The Internet of Things needs to be part of the overall corporate information security policy to prevent adversaries from using these devices as an entry point.

**Question: What do I need to know about defending IoT attack surfaces?**

**Bud Broomhead, CEO at Viakoo:** There are several reasons why it's critical for organizations to defend their IoT attack surface, most importantly being that IoT devices are powerful systems containing compute, storage, and networking that threat actors view as the easiest way to breach an organization or enable exploits. They need to be part of the overall corporate infosec policy unless a specific exemption is given, including policies around firmware patches and using certificates. The impact of not defending the IoT attack surface is massive and tends to fall into two categories. First is realizing that IoT device vulnerabilities are an effective method to breach an organization, and second is preventing IoT devices from being used in broader cyberattacks against multiple organizations.

Let's start with why IoT devices have become a preferred method for cybercriminals to breach an organization. IoT devices are hard to secure; they exist at 5 to 20 times the scale of IT devices, and they are often physically distributed widely across the organization (they are not neatly contained in data centers). Traditional IT security solutions don't work for IoT because they are often agent-based, and IoT devices do not allow agents to be placed on them due to the devices having unique operating systems and communication protocols.

Not only are there more vulnerabilities impacting IoT devices than traditional IT systems, IoT devices offer a wider set of exploits to a threat actor. For example, man-in-the-middle attacks are essentially a solved problem for IT systems, yet still can be effective against IoT systems. These are some of the reasons threat actors view IoT as low-hanging fruit in breaching an organization.

Likewise, many IoT devices are deployed and managed by the line of business (such as physical security, facilities, manufacturing, etc.), and may not be visible to the IT organization. Unless an automated solution is used, updating firmware on IoT devices can be slow, meaning that the window of vulnerability is open far longer for IoT than for IT systems. And because many IoT devices use open source software components (a fast-growing method of delivering vulnerabilities), enabling security fixes across a fleet of IoT devices with different makes and models also allows the attack window to be open for much longer than IT. Despite many organizations deploying IoT devices on networks segmented and firewalled away from the corporate network, over time connections to the corporate network happen, leading to IoT devices being a key method of entering an organization then pivoting to the corporate network (the hacked fish tank in Las Vegas comes to mind).

Another major reason defending the IoT attack surface is a high priority comes from how botnet armies are typically formed using IoT devices (the most famous example being the Mirai botnet, but many other examples exist). These IoT-based botnets deliver a significant percent of spam and phishing attempts (estimates range as high as 90%), which leads directly to planting malware and ransomware and enabling data exfiltration across multiple organizations. Fighting phishing and other attack vectors leads directly to shrinking the IoT attack surface.

I'd like to end on a practical note with a few concrete tips:

*   Make sure IoT devices are covered by corporate infosec policies.
*   Use IoT discovery and threat-assessment solutions to ensure every IoT device is visible.
*   If you have a zero trust initiative underway, extend it to IoT.
*   Use automation for implementing security fixes, and documenting all stages of it, both for compliance and management purposes.

The end result should be every IoT device being visible, secure, and performing its function – and a greatly reduced attack surface.

Source

DARKReading