WASHINGTON – Chinese hackers are positioning themselves in US critical infrastructure in the event of a clash with the United States, a top American cybersecurity official said on Nov 22.

Ms Morgan Adamski, the executive director of US Cyber Command, said ongoing Chinese-linked cyber operations are aimed at gaining “an advantage in the event of a major crisis or conflict with the US.”

Ms Adamski made the comments to researchers at the Cyberwarcon security conference in Arlington, Virginia.

On Nov 21, US Senator Mark Warner told the Washington Post that a suspected China-linked hack on US telecommunications firms was “the worst telecom hack in our nation’s history – by far.”

That cyberespionage operation, dubbed “Salt Typhoon,” has included stolen call records data, the compromise of communications of top officials of both major US presidential campaigns before the Nov 5 election, and telecommunications information related to US law enforcement requests, the FBI said, in a recent statement.

Beijing routinely denies cyber operations targeting US entities.

The Chinese Embassy in Washington did not immediately respond to a request for comment. REUTERS

An Iranian hacking group is actively scouting U.S. election-related websites and American media outlets as election day nears, according to a new Microsoft blog published on Wednesday. Researchers say the activity suggests “preparations for more direct influence operations.”

The hackers – dubbed Cotton Sandstorm by Microsoft and linked to Iran’s Islamic Revolutionary Guard Corps – performed reconnaissance and limited probing of multiple “election-related websites” in several unnamed swing states, the report notes. In May, they also scanned an unidentified U.S. news outlet to understand its vulnerabilities.

“Cotton Sandstorm will increase its activity as the election nears given the group’s operational tempo and history of election interference,” researchers wrote. The development is particularly concerning because of the group’s past efforts.

Iran’s mission to the United Nations did not immediately respond to a request for comment. In recent past comments, they denied any involvement in 2024 election-related hacking activity.

In 2020, Cotton Sandstorm launched a different cyber-enabled influence operation shortly before the last presidential election. Posing as the right-wing “Proud Boys,” the hackers sent thousands of emails to Florida residents, threatening them to “vote for Trump or else!”.

The group also released a video on social media, purporting to come from hacktivists, where they showed them probing an election system. While that operation never affected individual voting systems, the goal was to cause chaos, confusion and doubt, senior U.S. officials said at the time.

Following the 2020 election, Cotton Sandstorm also ran a separate operation that encouraged violence against U.S. election officials who had denied claims of widespread voter fraud, Microsoft said.

The Office of the Director of National Intelligence, which is coordinating the federal effort to defend the election from foreign influence, did not immediately respond to a request for comment. REUTERS

SINGAPORE– The Cyber Security Agency (CSA) is starting a study aimed at raising the productivity and professionalism of cyber-security workers.

It may result in an outline of the competencies required of chief information security officers – known by the acronym Cisos – and their teams of security executives who are in high demand, given their key role amid surging cyber attacks.

Ms Veronica Tan, CSA’s director at safer cyberspace division, told The Straits Times: “For organisations, clarity in standards and desired skills at various roles will mean greater improvements in workforce competency and productivity.”

The study will involve industry players, training institutions and certification bodies, she added.

CSA’s plan comes as companies warm to the idea of designated cyber-security personnel, but sometimes find themselves hindered by limited budgets and a shortage of skilled talent.

Mr Nyan Yun Zaw, the first Ciso at Singapore cyber security advisory firm Athena Dynamics, said: “The industry turnover rate for Cisos is unfortunately pretty high because it is a highly challenging and stressful job.

“When the organisation faces a security incident, this is the first person everyone looks to.”

Chief information security officer, a title that arose up in the 1990s after Citibank appointed one following a cyber attack, have risen in prominence in recent years as some countries made mandatory disclosures of material cyber breaches or attacks.

There have also been high-profile cases of criminal charges taken against such officers, such as at Uber and SolarWinds.

Mr Zaw took on the job at Athena Dynamics just over a year ago when his company expanded it beyond IT infrastructure and support.

His background was a string of roles ranging from engineering, cyber security, programming, to business development and sales in the firm since its set-up in 2014.

He added to his expertise by becoming a Certified Information Systems Security Professional, a label granted by the International Information System Security Certification Consortium, also known as ISC2.

He said: “We felt that there is a need to have a dedicated Ciso since we are also part of a listed company.”

Cisos spend their time securing their companies’ assets, learning new threats and technologies, and working with cross-functional teams, he said.

He added: “Ciso is a management position, so it is important for a Ciso to be knowledgeable in various aspects of cyber ranging from governance, risk and compliance to network security architectures.”

In the 12 months leading up to September, job portal Indeed recorded 48 per cent of its postings in Singapore seeking communication skills in cyber security leaders, compared to 38 per cent specifying expertise in IT, and 16 per cent in information security.

Around the same time, the number of postings for such roles on its portal dropped 36 per cent, suggesting that firms might be filling positions through internal promotions or team restructuring, said Mr Saumitra Chand, Indeed’s career expert.

“This decline may be due to the demanding nature of leadership positions like Cisos, which require high levels of expertise and specialisation,” he said.

To help small and medium-sized enterprises (SMEs) or non-profit organisations that cannot afford designated security personnel, CSA launched its CISO-as-a-Service (CISOaaS) scheme in February 2023.

It has received about 200 applications so far.

Organisations tapping the scheme can use CSA’s panel of 19 vendors to audit their cyber health and guide them to attain CSA’s Cyber Essentials and Cyber Trust marks, with up to 70 per cent subsidies.

CSA is planning updates to the two marks to reflect new risks in cloud, operational technology and Artificial Intelligence (AI), said Ms Tan.

Digital agency Digipixel, which has used CISOaaS, said achieving both trust marks helped it gain trust from customers.

Its director, Mr Leon Tan, said: “Pooled services can sometimes lack industry-specific context, but our collaboration with CSA has been a productive exchange.”

Mr Dave Gurbani, chief executive at CyberSafe, an appointed vendor, said: “We start by conducting a cyber-security health plan, like a doctor’s check-up.”

The firm then helps its mostly SME clients work through their internal controls, configurations, policies, and training to pass the audits for CSA’s marks.

“Many SMEs still think of cyber security in terms of anti-virus tools or maybe a firewall. To put it simply, that’s like thinking you’re ready for the day just because you have your socks and shoes on,” Mr Gurbani said.

Gaps that frequently show up include outdated systems, misconfigurations from third-party vendors, and weak access controls like shared passwords and lack of Multi-Factor Authentication.

“Without guidance, these vulnerabilities can be hard to recognise and fix,” Mr Gurbani added.

Another vendor, Momentum Z, takes firms calling on the CISOaaS service through a three-pronged assessment of employees’ cyber-security basics, company’s processes and policies, and cyber-security infrastructure such as firewall, antivirus, back-up data use and endpoint security.

Chief executive Shane Chiang said he has had clients that have not changed passwords for six years, or who had been granting external vendors remote access to their network with no inkling.

He said: “’Clients are often surprised to learn the vulnerabilities in their systems, which reinforces the importance of having a Ciso to bring structure and foresight into cyber security.”

CSA’s 2023 cyber security health survey released in March noted that only one in three organisations have fully implemented at least three of CSA’s five categories of recommended measures.

More organisations need help with knowing what data they have, where the data is stored and how to secure the data, CSA’s Ms Tan said. Businesses are also weak at safeguarding their systems and networks against malicious software, as well as guarding access to data and services.

She urged more organisations to tap CSA’s tools to up their game, adding: “Unless all essential measures are adopted, organisations are still exposed to unnecessary cyber risks, especially as they accelerate digitalisation and adopt fast-evolving technologies such as AI.

“Partial adoption of measures is inadequate.”