The Hearings Congress Didn't Have
Why Don't They Care About These Cyber Issues?
We watched various Members of Congress embarrass themselves while demonstrating they know very little about the issues surrounding the exfiltration of American citizens' personal data by rogue websites. The cause célèbre of the day was TikTok. Yet, throughout the hearings, there was no evidence offered to give credence to the notion that TikTok does engage in dangerous data theft; nor was any mention given to how a ban might come to be.
A report that lists every major data breach that has occurred since 2022
has been published by
Tech.co, dated March 13, 2023. Covering the
time of the report, not one single data breach resulting from the use of
TikTok has been documented. There was one rumor last year that
turned out to be a Reddit thread that went nowhere.
Although the House of Representatives itself suffered a data
breach in March 2023. So
if your keeping score at home, make that
Congress 1, TikTok 0, in number
of times breached.
The most extensive reporting on the TikTok issue has been done by CNN, March 24, 2023. Time and again, throughout this most thorough report on TikTok, the following quote, or one almost identical, appears.
Security experts say the government’s fears, while serious, currently appear to reflect only the potential for TikTok to be used for foreign intelligence, not that it has been. There is still no public evidence the Chinese government has actually spied on people through TikTok.
Facts do not sound bites make. I am sure Members beating on the Asian guy make great clips for the primary and to show the Great Unwashed Back Home that This Member means business. While beating on that White Guy, Brad Smith, President of Microsoft, would be boring as all get out. Sundar Pichai, Google President, sounds like a brainy kind of guy that would just be oh so tedious with his pointless knowledge about computer type things. And that Tim Apple guy from Cook Computers (or is it the other way around?) — Isn't he one of those Letter People? Wouldn't even want one of them sitting in the hearing room, now would we? No, sir. Not one of them need to come to Washington, DC to get a verbal reaming from their Representatives. Yet, it is exactly these three people who should be called before Congress and made to explain under oath why they can't fix all their broken products that endanger us all.
Security vendor, Mandiant, March 20, 2023, released a study of 0-Day vulnerabilities. Titled, "Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace," its authors state that "Mandiant considers a zero-day to be a vulnerability that was exploited in the wild before a patch was made publicly available."
In its Executive Summary, Mandiant places much
of the responsibility, if not culpability and liability, on the three
biggest and most well known Big Tech Names.
Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6).
The most exploited type of software remains Desktop Operating systems. Windows led that category with "15 zero-days exploiting this product in 2022. In comparison, macOS was exploited in only four out of 19 identified OS zero-days."
Along with the most popular operating systems, the most popular web browser, Google Chrome, was the victim of "9 out of 11 browser zero-day vulnerabilities."
gif images source: Mandiant
Along with the most widely used software products, the products brought to market by those vendors whose products are intended to mitigate security issues themselves fell victim to 0-Day vulnerabilities and exploits.
Ten zero-day vulnerabilities, nearly 20% of all zero-days we identified in 2022, affected security, IT, and network management products
And on the mobile platforms, Apple's iOS for iPhones and iPads had the dubious distinction of most 0-Days. Regardless of the product or vendor, the purpose and consequences were to gain access to systems.
Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives. While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions from these vulnerabilities is often limited. Alternatively, elevated privileges and code execution can lead to lateral movement across networks, causing effects beyond the initial access vector.
If a Member of Congress wanted to score points back home and have a chance to say the "C" word as often as possible, well here's that chance.
Consistent with previous years, Chinese state-sponsored groups continue to lead exploitation of zero-day vulnerabilities with seven zero-days exploited or over 50% of all zero-days we could confidently link to known cyber espionage actors or motivations.
With China threat actors increasingly placing focus on the exploitation of vulnerabilities in networking.
Chinese cyberattacks are indeed a threat to our own personal security and safety, as well as the national security. By expending so much time and energy in swinging at windmills and cyphers, both unknown and unseen, our Representatives lessen the impact of the real threats facing all of us in cyberspace. Seriously, folks. Get real for once.
