Secretary of State Tony Blinken announced last week plans for the State Department to create a new bureau of cyberspace and digital policy.

Why it Matters. The establishment of the bureau and plans for a new envoy to oversee critical and emerging technology come after a series of significant hack attacks and other online crimes, notably ransomware assaults on U.S. infrastructure.

Details. Blinken said in a memo to staff that following congressional approval, the new envoy and the Bureau of Cyberspace and Digital Policy "provide us with greater leadership and accountability to drive the diplomatic agenda within the interagency and abroad," per AFP. 

• State Department spokesperson Ned Price said at a briefing later Monday that the new Senate-confirmed ambassador-at-large would "lead the immediate technology diplomacy agenda with our allies, partners, and across the range of multilateral fora."
• The envoy would focus on "three key areas: international cyberspace security, international digital policy and digital freedom."

The Big Picture: President Biden signed an executive order in May in response to the cyberattacks in the public and private sectors — from the hacking of the Colonial Pipeline to the SolarWinds and Microsoft Exchange attack.
​

• Some $590 million had been paid by victims of ransomware attacks in the first six months of this year amid a surge in cybercrime, according to a Treasury Department report released earlier this month.

Last year a hacker group used a bit of malicious code it hid in a software update by the company SolarWinds to launch an immense cyberattack against U.S. government agencies and corporations—see Issues 7-27, 7-36, and 7-38.

The group behind the attack, Nobelium, is reportedly being directed by the Russian intelligence service. And they're at it again.

According to Microsoft, one victim of the SolarWinds hack, the group is targeting technology companies that resell and provide cloud services for customers.

"Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain," Tom Burt, Microsoft's Corporate Vice President of Customer Security & Trust, said in a blog post on the company's website.

"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," he added.
​
The hacker group hasn't tried to ferret out vulnerabilities in software, Burt said, but has been using techniques like phishing and password spray to gain entry to the targeted networks.

Office 365 users are now in cybercriminals' crosshairs in a new phishing campaign, according to a warning the Microsoft Security Intelligence (MSI) team issued via Twitter. Malicious actors are using email addresses that appear to be legitimate, with display names that mimic bona fide services to dodge email filters.
Microsoft cautioned cybercriminals are going above and beyond to use detection-evasion techniques that are convincing and authentic-looking.

"An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to slip through email filters," MSI explained on Twitter.

The deceptive phishing campaign targets Office 365 organizations with employees who often send attachments to co-workers. MSI found phishing emails that seemed as if they were sent from a trusted source. Many of these emails contained faux Microsoft SharePoint attachments with labels such as "Price Books," "Bonuses" and "Staff Reports."

The phishing emails use a tactic called "typosquatting," which involves registering deliberately misspelled domains that, at first glance, look close to a well-known brand. Most quick readers would overlook the subtle typo.

If users fall for the bait and click on the "Open" link, it will lead them to a page that lures them to type in their Microsoft or Google credentials. According to MSI, these sign-on pages look very convincing, making users believe that they're on a trustworthy path to a legitimate website.

MSI kept emphasizing how authentic these phishing emails looked. Employers may not be able to rely on their employees' good judgment to identify suspicious-looking emails. That's why MSI shamelessly plugged its Microsoft Defender for Office 365 program as a solution, adding that this software "detects and blocks" these emails.
​
Phishing attacks are a huge thorn in the side for many popular companies like Netflix and PayPal, but the Redmond-based tech giant should be particularly concerned. According to a CheckPoint Research study, Microsoft topped the list as being the most imitated brand for phishing attacks.

Benefits. A well-known example of an emerging technology is artificial intelligence (AI). This technology has many facets, including machine learning, natural language processing and speech recognition. In September/October 2020, the Information Systems Audit and Control Association (ISACA) and Protiviti conducted a global survey of over 7,400 IT audit leaders and professionals to get their perspectives on the top technology risks their organizations will face in 2021. Nearly 50% of the over 4,500 global respondents to the ISACA survey showed they are already using AI technologies (22%) or are in the planning and pilot stages of adopting them (27%).

Companies that have adopted emerging technologies, such as AI, hope to benefit from the competitive advantages that these technologies can provide. For example, cost savings and heightened revenues are made possible through increased efficiency and enhanced customer products and experiences.

Companies can speed up the adoption of emerging technologies by investing broadly across the company and using technologies in a way where the responsibility resides with the process owner. This approach generates better cost savings as process owners can solve a business problem specific to them, resulting in operational efficiencies and an increase in quality analysis.

Internal audit can also embrace AI technologies to enhance risk monitoring and control effectiveness. In a use case-specific example, machine learning can analyze general ledger data and pinpoint incorrect or fraudulent journal entries among thousands of other transactions. Note that larger and more complex business problems—which may have a broader impact across multiple areas of the business or have aspects that present greater risk to the company—would require collaboration and consultation with data scientists, who could be internal personnel or consultants.

Risks. Companies adopting emerging technologies must not only consider the benefits but also the associated risks. To develop an understanding of individuals' perceptions, the ISACA survey asked respondents to indicate their views on the risks of adopting AI technologies. Most respondents rated the risks associated with AI to be low (30%) or medium (33%), whereas only 9% determined AI to be high risk. In practice, companies must consider the maturity and complexity of the business processes using AI to determine true risk to the company.

One risk is that these emerging technologies will not achieve companies' expectations. To combat this risk, a clear vision needs to be established and supported by defined objectives with realistic targets. Due diligence involves thorough research to identify requirements for new projects that have a significant impact on the company. IT governance should play a substantial role as emerging technologies are being integrated into the business, including representation across different IT groups—such as application development, security, and infrastructure—within the IT governance process. This will enable communication across various parts of the business and help identify additional needs while streamlining project implementation. Monitoring and regular status updates should be communicated to senior leadership throughout the project, as well as post-launch to help determine if ROI was achieved or miscalculated.

Risks can also emerge from changing regulations that may limit the success of an emerging technology. For example, privacy laws related to the collection of consumer data could impede a company's ability to use successfully certain emerging technologies by disrupting current products and services in production. New regulations are imminent, especially surrounding algorithmic bias for technologies that affect customers. Continuous monitoring of new regulations and nimble development processes are necessary to ensure models comply with changing and new regulations.

Finally, there is a risk that a misconfiguration of the technology could cause an algorithm error issue, which would affect data quality and create threats to data security. These risks can be mitigated by putting strong change management processes in place. These processes ensure test cases are effectively designed and performed, that version controls appropriately log changes to models and source code repositories, and that peer reviews are conducted for coding and model changes. During the planning and building phase, it is critical to be mindful of the data set to identify potential biases and ethical dilemmas.
​
Adopting emerging technologies can create competitive advantages, but these benefits are naturally accompanied with risk. Process owners can take a proactive approach to identify risks by engaging with internal audit or enterprise risk management. Starting discussions about risks and controls early in the technology's implementation will help identify any unaddressed issues and process improvements and ensure emerging technologies are successfully integrated into the business.

Microsoft is officially acquiring RiskIQ, a security software vendor. RiskIQ provides management tools and threat intelligence gathering against a wide range of cyberattacks across Microsoft’s own cloud services, AWS, on-premises servers, and supply chain attacks. While Microsoft hasn’t valued the deal, Bloomberg reported that the company is said to be paying more than $500 million for RiskIQ.

The cloud-based RiskIQ software detects security issues across networks and devices, and the company lists Box, the US Postal Service, BMW, Facebook, and American Express as customers. RiskIQ was originally founded in 2009 and has gradually become an important player in analyzing security threats.

Microsoft hasn’t laid out a detailed plan for how it will integrate RiskIQ into its own security offerings, but it’s bound to use RiskIQ’s software across Microsoft 365 Defender, Microsoft Azure Defender, and Microsoft Azure Sentinel eventually.

“RiskIQ has built a strong customer base and community of security professionals who we will continue to support, nurture, and grow,” says Eric Doerr, vice president of cloud security at Microsoft. “RiskIQ’s technology and team will be a powerful addition to our security portfolio to best serve our mutual customers.”
​
Microsoft has been gradually growing and improving its security tools amid an intense battle with ransomware. The software maker even acquired ReFirm Labs last month to help protect servers and Internet of Things devices from security attacks. The acquisitions come after months of troublesome ransomware attacks. The Russia-linked REvil ransomware group has been wreaking havoc with ransomware and supply chain attacks in recent weeks, and the security industry is still reeling from a sophisticated SolarWinds hack that breached everything from Microsoft to US government agencies.

Microsoft Corp. said the hackers behind the SolarWinds cyberattack recently compromised a new trio of victims using access to one of the company’s customer support agents.

The hacked portal used by the individual agent contained information for a “small number of customers,” which the attackers used to launch a “highly targeted attack,” Microsoft said Friday in a blog post. The company said it has since removed the attackers and secured the compromised device.

Microsoft didn’t identify the victims but said it had alerted the hacked entities through its nation-state notification process. Microsoft’s Threat Intelligence Center attributed the attack to a group called “Nobelium.” That’s the same group of state-sponsored Russian hackers who used sophisticated intrusion techniques in 2020 to infect with malware 18,000 customers of the Texas-based software company, SolarWinds Corp.
​
Microsoft said Nobelium targeted IT companies, governments, non-profits, think tanks and financial services entities across 36 countries during the recent attack. “The activity was largely focused on U.S. interests, about 45%, followed by 10% in the U.K., and smaller numbers from Germany and Canada,” the Redmond, Washington-based software maker said in the blog.

The group behind the massive SolarWinds hacks has also been running a sophisticated email-based spear-phishing campaign, according to Microsoft. In a blog post by company VP Tom Burt, he said the Microsoft Threat Intelligence Center (MSTIC) has detected a wave of cyberattacks by the group called Nobelium against government agencies, think tanks and non-governmental organizations. Nobelium apparently sent out 3,000 emails to 150 organizations after getting access to Constant Contact, the mass mailing service used by the United States Agency for International Development or USAID.

While most of the targets are in the United States, they're spread out in 24 countries overall. At least a quarter of the intended victims are involved in humanitarian and human rights work and, hence, may be the most vocal critics of Russian president Vladimir Putin. The SolarWinds attack is believed to be a Russian-backed campaign, and the United States government retaliated by expelling 10 Russian diplomats from Washington, DC. The Treasury Department also imposed sanctions on six Russian technology companies that were allegedly involved in creating malicious tools for cyberattacks.

According to Microsoft, it first detected the campaign on January 25th, though Nobelium wasn't leveraging USAID's Constant Contact account to phish targets back then. The campaign has evolved several ways since, and it was only on May 25th that MSTIC determined an escalation on the group's part when it sent out 3,000 emails with legitimate-looking USAID addresses through the mailing service. 

Thankfully, automated threat detection systems blocked most of the emails because of the high volume of emails that were sent out. Further, the contents were anything but subtle. The New York Times says one email blasted out highlighted a message claiming that "Donald Trump has published new emails on election fraud." It then linked to a URL that downloads malware into the victim's computer when clicked. Microsoft says some of the earliest emails that went out may have been successfully delivered, though, and the company is advising potential targets to make sure they're sufficiently protected. 

Burt wrote in his post:
​
"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts... when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem."

Non-fungible tokens, or NFTs, are topping the latest cryptocurrency news. Understand what NFTs are, how they’re transforming digital art and content into valuable assets, and other use cases for NFTs.

A fungible asset refers to an asset that is interchangeable with any other like unit of that asset. For example, one bitcoin (BTC) is the same as any other bitcoin in circulation – the case is the same with dollars or euros. Fungible assets are also divisible, meaning someone can fractionally break them up into smaller units that share the same properties. Fungible assets are essentially indistinguishable from one other. These traits are key for any asset to be viable as a payment mechanism. 

Non-fungible tokens are crypto tokens that are indivisible and unique. While NFTs are built on smart contracts just like cryptocurrencies, NFT contracts contain specific information that makes each NFT different from the next. In this way, one NFT cannot be interchanged with another NFT, and the whole cannot be broken down into smaller units and used. These traits denote non-fungibility, hence the name NFT.

NFTs appear most often on the Ethereum blockchain. Each token signifies ownership of a digital asset, though they are also marketed as representing portions of real-world assets as well. NFTs are typically built with the ERC-721 token standard. This standard outlines a minimum set of features that each non-fungible token should possess, but it does not limit potential extra attributes of NFTs.

As the latest hype to hit the Internet, NFTs are making some individuals millions of dollars. This phenomenon hit new heights with the recent sale at Christie’s of the digital artist Beeple’s work entitled ‘The First 5000 Days’ for $69 million and brought digital art to the attention of the mainstream. Another example is Twitter co-founder and CEO Jack Dorsey’s first tweet. As an NFT on blockchain, it sold for almost $3 million.

NFTs could one day be used to record anything from ownership of our homes to our birth certificates, and already there are countless examples of eccentric-sounding tokenization attempts (a token of your family tree, anyone?).

Ownership of an NFT, evidenced by an immutable, cryptographically secured record on the blockchain, is taken as proof by others in the crypto sphere (and in the real world?) that you are the owner of that underlying asset, like a digital certificate of title or stamp of authenticity. This record of ownership can be found on the blockchain, while the digital asset itself is stored on a non-cryptographically secured, separate server owned by a host platform.

Rare or Unique Objects. NFTs are provably scarce assets. Each non-fungible token contains computerized code that verifies it is the only asset with its specific digital identity. This all-important characteristic is useful for creating unique digital goods and can even represent rare physical assets, whose provenance (historical record of ownership) can be tracked and cryptographically verified through its underlying blockchain protocol. The possibilities for exclusive and rare items that can be traded – such as digital art, collectibles, or game pieces – are endless. Platforms like Open Sea, Super Rare, and Nifty Gateway bring NFTs to an ever-growing consumer base.
​
While NFTs still face challenges regarding interoperability and scalability, the technology has shown its utility in proving uniqueness, scarcity, and ownership for both digital and real-world assets. Already a staple in blockchain gaming and collectibles, NFT technology has proved to be a large growth sector of the blockchain industry as use cases expand into digital identity records and representation of scarce real-world assets.
 
“NFTs may make blockchain technology more popular in the eyes of the general public,” said Brian Comiskey, sr. manager of industry intelligence, Consumer Technology Association (CTA)®. “It may underscore a desire to increase more financial transactions (beyond crypto) for consumers and eventually be deployed on the enterprise side for applications like secure cloud storage.”

The City of Las Vegas is home to 650,000 residents, with the greater Las Vegas area attracting 42 million annual visitors. The City of Las Vegas, working with technology and business solutions provider NTT, has expanded its efforts to become a smarter city and provide safe, reliable, and efficient civic technology that stimulates economic growth and offers better experiences for its residents and visitors.

City officials are seeking to improve interoperability among all public service sectors through open-source data sharing and real-time data analytics. They have deployed various tech solutions in the past two years that have already changed city safety.

The city’s smart city charter focuses on six major areas:

• Public Safety: Solutions should better inform first responders and decrease response times.
• Economic Growth: Infrastructures will promote new business models and lead to new job opportunities.
• Mobility: New connected vehicle infrastructure and data analytics will enable safer, more reliable, and energy-efficient mobility options.
• Education: Expanding collaboration with universities will support education initiatives and prepare the future workforce.
• Social Benefit: Programs for underserved communities will help establish demographic equity.
• Health Care: Connected and intelligent medical devices will encourage a broader view of well-being.

In this article, we will focus mainly on public safety initiatives and also touch on some social benefits.

Improving Safe Mobility. This pilot project was designed to decrease traffic congestion and help city officials address the problem of drivers accidentally driving the wrong way on streets. Sensors using lidar placed at various streets in Las Vegas could detect collisions, near misses, how many times cars went the wrong direction, and even resulting decreases in congestion after roadway improvements.

Edge data centers can quickly process and analyze massive amounts of data and send back near real-time alerts and suggestions for traffic control, amber alerts, and more. The connected data from all over Las Vegas streets also helps first responders react more quickly.

Through the pilot program, wrong-way driving was reduced by around 40%.

Expanding to Smart Park Initiative. Following an earlier trial at two park locations, Las Vegas has started expanding its smart park initiative to 12 more locations in a public safety effort. Deploying smart city technology in parks has allowed officials to monitor large crowds, gunshots, vandalism, breaking glass, and more.

Michael Sherwood, director of innovation and technology for the city of Las Vegas, said that understanding how many people visit parks and which facilities they use can help improve maintenance and operations, inform decisions about expansion and services, and protect residents.

Remote monitoring in the parks can improve efficiencies for public safety personnel, too. If sensors detect a visitor in the park after closing hours, automated recordings and remote systems can address the person before alerting officials.
​
As Las Vegas continues to accelerate its smart city projects throughout the city, it’s learning that a connected society can directly benefit citizens and is looking ahead to how smart city technologies can extend further to stadiums, shopping malls, and manufacturing facilities.

Editor’s note: In late February, Microsoft President Brad Smith testified before the Senate Armed Services Committee on emerging technologies and their impact on national security. Later, he also testified at the Senate Select Committee on Intelligence on the SolarWinds hack.

Read Brad Smith’s written testimony from the Senate Armed Services Committee hearing here and watch the testimony here.

Read Brad Smith’s written testimony from the Senate Select Committee on Intelligence hearing here and watch the testimony here.

The following is a Microsoft blog post from Brad Smith.
=================================================================
For two centuries, technology has changed the nature of what it takes to defend a nation. In early 1940, improved tanks rendered worthless two decades of French investment along the fortified Maginot Line, as the German army simply plowed around it. And in late 1941, the United States learned that advances in naval aviation meant that battleships could no longer defend Pearl Harbor. Today, foreign cyberweapons pose a similar threat for the future.

Congress this week will explore the role digital technology’s influence on American power and security. While committees in both the House and Senate will rightly focus on the threats cyberweapons pose, the broader topic of the Senate Armed Services Committee’s hearing focus on the higher stakes represented: digital technologies across the board are rapidly redefining the way we secure the peace, maintain our defense and, when necessary, fight wars.

But today one would be hard-pressed to say that the country has a comprehensive strategy to harness these technologies for the country’s defense. A more cohesive approach is needed, in terms of infrastructure defense, military expertise and global engagement.

The recent SolarWinds cyberattack on the tech sector’s supply chain was a wake-up call. And just last week in Texas, nature demonstrated the vulnerability of our power grid. Yet, since 2014, Russian agencies have intruded into the U.S. electrical grid, and we shouldn’t assume they were alone or had benign intent.

This means we must prepare for more sophisticated foreign attacks. We need to strengthen our software and hardware supply chains and modernize IT infrastructure. We must also promote broader sharing of threat intelligence, including for real-time responses during cyber incidents.

Let’s start with the need for more open sharing of information. Today, too many cyberattack victims keep information to themselves. We will not solve this problem through silence. It’s imperative that we encourage and sometimes even require better information sharing, including by tech companies.

But cybersecurity is just the start. Emerging technologies such as cloud and edge services, AI and 5G will redefine the requirements for military operations at mission speed, based on their ability to harness massive amounts of data and computational power.

The Pentagon needs to move more quickly to use, secure and adapt commercial advances for military applications. This will require more agile procurement, more digital skills in personnel training, and a closer partnership between the government and the tech sector.

The development of digital technology often starts with commercial technology and then moves to military and intelligence adaptations, rather than the other way round. This is the opposite of the Cold War, and it changes almost everything.

It means that military supremacy in digital technology is dependent on broader national leadership in the field. And, while the computer revolution took root on American soil, it is now a worldwide endeavor with global powers, including China, competing in and sometimes leading the race.

This requires a holistic approach to government-sponsored basic research and technology trade policy. The United States has unmatched capability for basic research through our research universities. Yet government research spending has declined, and within the next few years China is expected to surpass us.

We also need to strengthen ties with our allies, building on the global nature of technology innovation. Microsoft’s quantum computing efforts illustrate this well, with labs in Indiana, California and Washington, as well as Denmark, the Netherlands and Australia.

Finally, global technology leadership requires successful work to promote standards and technology protocols that reflect American inventions. The U.S. has excelled in these fields through decades of international outreach. This can’t stop now.

A lot is at stake, including the nation’s unique role in providing global leadership. When we think about the role of technology for the country’s defense, our ability to establish and defend the most important connective tissue of the international order – in areas such as finance, cybersecurity, healthcare and transportation – marks one stronghold of American power and security.

We will need to lead with moral authority and not the strength of technology alone. As in the past, there is no substitute for technology the world can trust.

For the last 70 years, the United States has provided what we might think of as the global public operating system. The next 70 years will witness this not just as a metaphor, but as real software power. Our national security strategy therefore must continue to offer the best options for countries around the world as they transition every part of their national lives to a digital age.