Cyber Saturday—Trump’s Hacking Trophy, Huawei’s ‘Backdoors,’ Maersk’s Ransomware Lesson

May 4, 2019, 11:00 PM UTC
President Trump Meets with Treasury Secretary Mnuchin at Treasury Department
WASHINGTON, DC - APRIL 21: (AFP OUT) United States President Donald J. Trump looks over the first of three Executive Orders concerning financial services at the Department of the Treasury on April 21, 2017 in Washington, DC. President Trump is making his first visit to the Treasury Department for a memorandum signing ceremony with Secretary Mnuchin. (Photo by Ron Sachs - Pool/Getty Images)
Ron Sachs—Pool Getty Images

President Donald Trump signed an executive order on Thursday that aims to strengthen the country’s cybersecurity workforce.

The order laid a number of sorely needed federal initiatives. Among them: standardizing job listings to help cybersecurity workers more easily move around government, creating a rotational employment program between the Department of Homeland Security and other agencies, establishing awards for elementary and secondary school educators who foster cybersecurity talent, and incentivizing people to learn and master hacking skills through new “awards and decorations.”

Perhaps the most interesting part of the document called for a “president’s cup cybersecurity competition.” The goal, the directive states, “shall be to identify, challenge, and reward the United States Government’s best cybersecurity practitioners and teams across offensive and defensive cybersecurity disciplines.” The order mandates that such a contest, intended for both military and civilians, will take place before the end of the year. Winners are set to earn a minimum cash prize of $25,000.

The order won kudos around the Hill. Rep. Bennie G. Thompson (D-MS), chairman of the committee on homeland security, and Rep. Cedric Richmond (D-LA), chairman of the committee’s cybersecurity, infrastructure protection and innovation subcommittee, said in a joint statement that the order “signals the start of a real national effort to grow and diversify the cyber talent pipeline.” Congressman Jim Langevin (D-RI), cofounder and cochair of the congressional cybersecurity caucus, praised the order for recognizing people who “too often [do] unheralded work keeping us safe.”

Games can be a highly effective way to develop, retain, and reward talent. For proof, look no further than another cybersecurity contest, the 2019 National Collegiate Cyber Defense Competition. Jake Smith and Daniel Chen, both members of this year’s winning team, interns at Raytheon (a sponsor of the contest), and students at the University of Virginia, said the reason they became interested in cybersecurity in the first place was due to CyberPatriot, another similar contest sponsored by the Air Force Association and aimed at high school-level participants.

“I didn’t know much about cybersecurity before [CyberPatriot], but I found my passion and I definitely want to go work in the industry,” Smith told me. Contests such as these help people break into the industry by offering hands on experience, he said.

Of course, the government still needs to figure out some of the details for its own cup. It remains to be seen how the contest will handle people who deal in classified areas, for instance, as they are often restricted from participating in such public affairs.

Surely, The Cyber Apprentice’s show-runners will find a solution.

Robert Hackett


Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my, PGP encrypted email (see public key on my, Wickr, Signal, or however you (securely) prefer. Feedback welcome.


Unicorn poachers. Slack said in a recent regulatory filing with the Securities and Exchange Commission that it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors." Other so-called unicorn tech startups that recently went public, or that are preparing to go public, such as Uber, Lyft, Pinterest, and PagerDuty, warned prospective investors about the potential for "unauthorized access" to their systems. Slack was, however, the only one to list potential adversarial groups by type, as Motherboard points out.

Close the door behind you. British telecom giant Vodafone found "hidden backdoors" in gear manufactured for Italian consumers and businesses by Huawei, the Chinese telecom equipment maker, Bloomberg reported. Vodafone disputed the characterization of this seeming threat and said the issues had been resolved in 2011 and 2012. Security experts piled on, criticizing Bloomberg for its sensationalist take: the supposed backdoor in question was actually an improperly documented Telnet service, commonly used by technology vendors for debugging and diagnostics. Also, in somewhat related news, British Prime Minister Theresa May has sacked her defense secretary as she believed he leaked information to the press relating to Britain's plans for Huawei.

The next Bill Gates? Justin Schulte, a former Central Intelligence Agency computer engineer who was arrested in 2017 for alleged crimes relating to sexual assault, child pornography possession, and leaking national secrets to WikiLeaks, is not taking his detention quietly. In a court filing, he said he is owed more than $50 billion for "irreparable harm from torture imposed by the Federal Terrorists," as CyberScoop reports. A taste of his argument: "What if Bill Gates’ life was similarly destroyed by government malfeasance prior to Microsoft?" Schulte wrote. “Would he have been reimbursed the $80 billion he’s worth today?" It's clear he thinks highly of himself.

If you build it, they will come. The National Institute of Standards and Technology (NIST), creator of a federal cybersecurity framework that serves as a bible for many cybersecurity practitioners, has released a privacy framework. The document lays out how companies can balance business drivers with consumer protection concerns. NIST also published a draft paper on the subject of securing "Internet of Things" devices. And, while we're on the subject of framework documents, BSA, a tech trade group known as the software alliance, released one covering the development of secure software. These are all meaty documents, but worth perusing.

Hackity hack, don't hack back. Hackers appear to have disrupted electrical grid operations in the western U.S. Hackers crept around inside Citrix's network for six months. Hackers breached a German Internet infrastructure company that works with big companies like Oracle, Airbus, and Volkswagen. And hackers have been holding Github repositories ransom.

Baby beluga in the deep blue sea of Norway.

Share today's Cyber Saturday with a friend:

Looking for previous Data Sheets? Click here


Shape up, or ship out. At a cybersecurity conference hosted by the National Cyber Security Centre in the UK, Lewis Woodcock, an executive at the Danish shipping giant A.P. Moller-Maersk, recounted what happened when the company succumbed to "NotPetya," a crippling ransomware attack, in June 2017. An important lesson for company's planning a cybersecurity strategy, he said, per ZDNet's report, was that a data recovery plan is just as important as having defenses in place.

The extent of the cyberattack was so bad that it just didn't seem possible that something so destructive could have happened so quickly.

"I remember that morning—laptops were sporadically restarting and it didn't appear to be a cyberattack at the time but very quickly the true impact became apparent," said Lewis Woodcock, head of cybersecurity compliance at Moller-Maersk, the world's largest container shipping firm.


When Artificial Intelligence Knows Too Much (or Too Little) About You by Michael Lev-Ram

Despite the Trump Admin's 'All-Out Offensive,' Huawei's Global Smartphone Sales Soar by Jeran Wittenstein

Is the Muslim Brotherhood a Terrorist Organization? Trump Thinks So by Natasha Bach

How One Company Is Using A.I. to Increase Security for a Christchurch Mosque by Emma Hinchcliffe

The EU Wants to Build One of the World's Largest Biometric Databases. What Could Possibly Go Wrong? by Grace Dobush

Apple's Crackdown on Parental Control Apps: What You Need to Know by Don Reisinger

Poway Synagogue Shooter Found Hate Online by Ellen McGirt

'A Goldmine for Identity Thieves': Unprotected Database Puts 65% of American Households At Risk by Chris Morris


Flash of a neuralyzer. In the coming weeks, Google will offer auto-delete controls for people's location history and web and app activity data. The company already offered an "on/off" toggle for this collection. Now people will be able to set a time limit—three or 18 months—after which the company will automatically wipe the details from its memory. "You should always be able to manage your data in a way that works best for you—and we’re committed to giving you the best controls to make that happen," Google said in a blog post.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward