Joe Uchill Profile picture
Senior Reporter @SCMagazine || Founded Axios Codebook cybersecurity newsletter || Also: The Hill, Motherboard || Cybercybercyber
9 Jun
Any minute now, the House Homeland Security Committee will host a critical infrastructure cybersecurity hearing with Joseph Blount, president and CEO of Colonial Pipeline.

Chair Bennie Thompson calls the system of (largely) voluntary cybersecurity guidelines in critical infrastructure into question.
Thompson: I hope colonial will use the recouped money to make necessary improvements in its cybersecurity.
Read 52 tweets
7 Jun
DOJ's Colonial Pipeline presser appears ready to start.
Lisa Monaco: "The Department of Justice is announcing a significant development in the ransomware attack on the Colonial Pipeline."
Monaco: "The sophisticated use of technology to hold businesses, and even whole cities hostage for profit is decidedly a 21st century, challenge, but the old adage, follow the money still applies. And that's exactly what we do."
Read 9 tweets
5 Apr
I had a thread yesterday about why banning payment of ransomware is not an easy solution to the problem
Just to go through some of the other policy options that are worth considering or combining into a comprehensive package:
One idea is to impose know-your-customer laws and mandatory intervention with warrants on cryptocurrencies sold on legitimate exchanges.

It would help recover funds and impose an extreme cost on criminals trying to stay anonymous.

Speculators would super hate it.
There are international diplomacy angles - increasing cooperation between the United States and traditional havens for ransomware gangs. Obviously, this would be incomplete without Russia and could escalate to sanctions.
Read 7 tweets
4 Apr
With respect to Chris Vickery and other people who've made this suggestion, it's not that easy.
Illegalizing ransoms is actually something with historic precedent. It's shown success against kidnappings in the past
But here's the thing...
In either case, countries find it extreme to penalize victims being coerced. Many will still pay - just illegally - which means they won't disclose to law enforcement, regulators or customers. And there are situations, like hospitals, where you may actually want people to pay.
Read 6 tweets
3 Apr
This is a weird article, but not for the reasons people seem to think it's a weird article.…
The article makes the assertion that 200 years in the future, only the Beatles and Bob Dylan will be remembered.

If you're angry about that name three 1760s composers.
If you didn't get Hayden, you probably didn't name two composers from the decade.
Read 4 tweets
10 Mar
CISA leadership will be testifying before the House Appropriations Committee's Homeland Subcommittee in about an hour about "Modernizing the Federal Civilian Approach to Cybersecurity."

I'll be live-tweeting it. 🧵
Interesting notes to consider in advance.

- Brandon Wales will testify as Acting Director.
While the Biden administration has discussed a task force in the wake of Hafnium, there's no confirmed CISA director, someone you'd expect on the task force.
Eagle-eyed readers will notice I've deleted and reposted that tweet twice after misspelling "Interesting" in two different ways.
Read 36 tweets
9 Mar
The interesting thing about gaffs is not that they happen.
They happen to everyone. Today, I forgot the word acronym. What's interesting is how the ones that stick are ones that confirm what people already suspect about the person who said them.
That's not to say legitimately not knowing something important isn't a problem. But if you give 4 hours of speeches a day, you're going to trip over words.

Yet no one honestly thought Obama didn't know how many states there were when he said he visited 53 of them.
Trump was unique in that regard: To the best of my knowledge, he is the only president to claim the facts change to justify a gaffe. Saying "covfefe" was intentional, altering weather maps to show Alabama would be hit by Hurricane Dorian, claiming he said "Tim from Apple".
Read 4 tweets
12 Feb
There's a ton of stuff we don't know about Bloomberg Supermicro 1 and 2 that I'm not sure we're going to know. Here's what I do know about Supermicro 1, the original story:
I know a ton of national security and cybersecurity reporters and contractors who tried to substantiate the first story without success.

I tried to substantiate the first story without success.
People who I spoke to on Capitol Hill said they *wished* it was true to confirm what we generally know about China's industrial espionage.

People I spoke to in industry launched expensive investigations to see if they had been hit. They hadn't.
Read 11 tweets
10 Feb
The EAC is about to vote on the Voluntary Voting System Guidelines 2.0.

The most contentious point in VVSG is that it says wireless technology should be disabled and not completely removed from voting machines.
I'll try to live-tweet anything interesting, but am also expecting a call for work. So this thread may cut short at any time.

It could be very dramatic.
Disabling wifi rather than not purchasing machines that have wifi allows for more maneuverability in commercial, off the shelf purchases.
Read 19 tweets
7 Jan
The natsec/infosec implications of the coup attempt are staggering - not just in Pelosi's office.

They'll need to assume all systems and physical files were compromised, and catalog what of each was stolen, altered or destroyed
In the long run, they need an evacuation failsafe for computer systems.
I wasn't really referring to classified files. But it's worth noting that Mieke Eoyang disagrees both in terms of classified files and in general (down conversation).
Read 5 tweets
2 Jan
By the end of the first season, over the course of several investigations, the FBI had hacked into Boston's transportation system, an online casino that was cooperating with the investigation and the camera on a teenage girl's home computer.

Where will they CSI:CYBER next?
Interesting notes from the intro to episode 1:
-Peter McNichol (Ghostbusters 2) has been replaced by Ted Danson.
-They've taken out the part where someone whispers "It can happen to you."
Read 133 tweets
1 Jan
The passage of the NDAA means that the Executive Branch gets a new staff member: the National Cybersecurity Director.
The position is modeled after the U.S. Trade Representative, and is one of the Cybersecurity Solarium’s suggestions.
The position is Senate confirmed.
Read 5 tweets
26 Dec 20
There's two seasons of this? Jeepers.
Amazon knows something.
Read 145 tweets
26 Dec 20
Universes with Pedro Pascal in it:

Game of Thrones
Star Wars
Law and Order
The Equalizer
Universes without Pedro Pascal in it:

The Arrowverse
Star Trek
James Bond
Harry Potter
Jurassic Park
Also! He was in the 2011 Wonder Woman TV pilot.

He's a WW vet.
Read 5 tweets
24 Dec 20
I'll buy a post covid beer for someone who can tell me what I'm missing.
Anyone? This is perhaps the biggest lay up you'll ever get to call me an idiot.
My brain thinks its on vacation. You'd only have to beat 50% of my attention span at a three-paragraph reading comprehension quiz.
Read 4 tweets
24 Dec 20
A bunch of outlets have said this CS blog says the same attackers behind the Orion breaches went after them.

Only, I've read the blog, and I don't think it says that?…
What am I missing here?
Here's the relevant passage:
To me, unless I'm missing an important word somewhere, it says they were reviewing to see if they were impacted, and Microsoft said their inexistent Office 365 email was attacked by *someone.* But not APT 29, per say. Image
Read 4 tweets
23 Sep 20
Previously, I mentioned that you needed to vote, because I, as a cybersecurity reporter who knows how to do such things, had already voted in your district. You need to cancel me out.

But the situation is more dire. 1/x
Now I have, again, voted in your district. You need to find a friend to vote to have the two votes necessary to cancel out my vote.
And, since it's a secret ballot, and you don't know how your friends vote, maybe it'd be wise to find two or three extra friends to also go vote.
Read 5 tweets
19 Sep 20
Read 10 tweets
10 Sep 20
Attacks Microsoft has observed against campaigns:… Image
Important note one: Campaigns aren't election infrastructure. So, when DHS said they weren't seeing attacks against election infrastructure (i.e. voting machines, poll books, etc) this doesn't contradict that.
Important note two: We don't know what the intent was behind attempted hacking. So, while the obvious thoughts will turn to hack and leak sabotage, like in 2016...

Most of the time, these groups are just trying to get boring intelligence from people in the know.
Read 8 tweets
9 Sep 20
I've got two questions about the Woodward book that may not seem serious, but actually kind of are:
Why are books?
What if this thing that everyone says was a secret was actually not a secret?
By the first question I mean two things: Why would it ever be good to print a new idea later as a book rather than print immediately in a newspaper? Also, why does the incentive structure favor waiting for books?
By the second one I mean this: Trump actually said the thing we're angry about Woodward saving for his book at a press conference in April. But even without it - it wasn't a secret the advice Trump was extending was not based in science. And it was impossible he didn't know that. Image
Read 5 tweets
9 Sep 20
Donald Trump joins Hitler, Stalin, Oprah and Castro as Nobel Peace Prize Nominees. It's an award where it isn't an honor to be nominated.

Any national government official and professors in law, polisci, history and theology can nominate. In 2005, 199 people were nominated.
318 Nominees in 2020.
None of this, as I said in the comments, reflects badly on his accomplishments - obviously, some really great people get nominated for the Nobel Peace Prize too. But being nominated for the Nobel Peace Prize isn't an exclusive group. It's not like being nominated for an Oscar.
Read 4 tweets