SINGAPORE– The Cyber Security Agency (CSA) is starting a study aimed at raising the productivity and professionalism of cyber-security workers.

It may result in an outline of the competencies required of chief information security officers – known by the acronym Cisos – and their teams of security executives who are in high demand, given their key role amid surging cyber attacks.

Ms Veronica Tan, CSA’s director at safer cyberspace division, told The Straits Times: “For organisations, clarity in standards and desired skills at various roles will mean greater improvements in workforce competency and productivity.”

The study will involve industry players, training institutions and certification bodies, she added.

CSA’s plan comes as companies warm to the idea of designated cyber-security personnel, but sometimes find themselves hindered by limited budgets and a shortage of skilled talent.

Mr Nyan Yun Zaw, the first Ciso at Singapore cyber security advisory firm Athena Dynamics, said: “The industry turnover rate for Cisos is unfortunately pretty high because it is a highly challenging and stressful job.

“When the organisation faces a security incident, this is the first person everyone looks to.”

Chief information security officer, a title that arose up in the 1990s after Citibank appointed one following a cyber attack, have risen in prominence in recent years as some countries made mandatory disclosures of material cyber breaches or attacks.

There have also been high-profile cases of criminal charges taken against such officers, such as at Uber and SolarWinds.

Mr Zaw took on the job at Athena Dynamics just over a year ago when his company expanded it beyond IT infrastructure and support.

His background was a string of roles ranging from engineering, cyber security, programming, to business development and sales in the firm since its set-up in 2014.

He added to his expertise by becoming a Certified Information Systems Security Professional, a label granted by the International Information System Security Certification Consortium, also known as ISC2.

He said: “We felt that there is a need to have a dedicated Ciso since we are also part of a listed company.”

Cisos spend their time securing their companies’ assets, learning new threats and technologies, and working with cross-functional teams, he said.

He added: “Ciso is a management position, so it is important for a Ciso to be knowledgeable in various aspects of cyber ranging from governance, risk and compliance to network security architectures.”

In the 12 months leading up to September, job portal Indeed recorded 48 per cent of its postings in Singapore seeking communication skills in cyber security leaders, compared to 38 per cent specifying expertise in IT, and 16 per cent in information security.

Around the same time, the number of postings for such roles on its portal dropped 36 per cent, suggesting that firms might be filling positions through internal promotions or team restructuring, said Mr Saumitra Chand, Indeed’s career expert.

“This decline may be due to the demanding nature of leadership positions like Cisos, which require high levels of expertise and specialisation,” he said.

To help small and medium-sized enterprises (SMEs) or non-profit organisations that cannot afford designated security personnel, CSA launched its CISO-as-a-Service (CISOaaS) scheme in February 2023.

It has received about 200 applications so far.

Organisations tapping the scheme can use CSA’s panel of 19 vendors to audit their cyber health and guide them to attain CSA’s Cyber Essentials and Cyber Trust marks, with up to 70 per cent subsidies.

CSA is planning updates to the two marks to reflect new risks in cloud, operational technology and Artificial Intelligence (AI), said Ms Tan.

Digital agency Digipixel, which has used CISOaaS, said achieving both trust marks helped it gain trust from customers.

Its director, Mr Leon Tan, said: “Pooled services can sometimes lack industry-specific context, but our collaboration with CSA has been a productive exchange.”

Mr Dave Gurbani, chief executive at CyberSafe, an appointed vendor, said: “We start by conducting a cyber-security health plan, like a doctor’s check-up.”

The firm then helps its mostly SME clients work through their internal controls, configurations, policies, and training to pass the audits for CSA’s marks.

“Many SMEs still think of cyber security in terms of anti-virus tools or maybe a firewall. To put it simply, that’s like thinking you’re ready for the day just because you have your socks and shoes on,” Mr Gurbani said.

Gaps that frequently show up include outdated systems, misconfigurations from third-party vendors, and weak access controls like shared passwords and lack of Multi-Factor Authentication.

“Without guidance, these vulnerabilities can be hard to recognise and fix,” Mr Gurbani added.

Another vendor, Momentum Z, takes firms calling on the CISOaaS service through a three-pronged assessment of employees’ cyber-security basics, company’s processes and policies, and cyber-security infrastructure such as firewall, antivirus, back-up data use and endpoint security.

Chief executive Shane Chiang said he has had clients that have not changed passwords for six years, or who had been granting external vendors remote access to their network with no inkling.

He said: “’Clients are often surprised to learn the vulnerabilities in their systems, which reinforces the importance of having a Ciso to bring structure and foresight into cyber security.”

CSA’s 2023 cyber security health survey released in March noted that only one in three organisations have fully implemented at least three of CSA’s five categories of recommended measures.

More organisations need help with knowing what data they have, where the data is stored and how to secure the data, CSA’s Ms Tan said. Businesses are also weak at safeguarding their systems and networks against malicious software, as well as guarding access to data and services.

She urged more organisations to tap CSA’s tools to up their game, adding: “Unless all essential measures are adopted, organisations are still exposed to unnecessary cyber risks, especially as they accelerate digitalisation and adopt fast-evolving technologies such as AI.

“Partial adoption of measures is inadequate.”

WASHINGTON – The woman who dubbed herself the “Crocodile of Wall Street” and “Razzlekhan” in rap videos was ordered to serve 18 months behind bars for helping her hacker husband launder cryptocurrency he stole from the Bitfinex exchange.

Heather Morgan, 34, was sentenced on Nov 18 in Washington federal court. Last week, her husband, Ilya Lichtenstein, got five years in prison for his role in the scheme, which stemmed from his 2016 hack of the exchange and the theft of Bitcoin currently worth billions of dollars. Both pleaded guilty last year.

Morgan wasn’t involved in the hack, and her husband said he recruited her to help hide the loot he’d stolen. They could have faced more prison time, but he agreed to aid the United States in other crypto prosecutions and she persuaded him to cooperate with the authorities.

The Verge, which called her “crypto’s most embarrassing rapper”, said she made crypto-themed rap videos under the name Razzlekhan. The whole story is expected to be immortalized in a Netflix documentary series and a film called Dutch & Razzlekhan, the tech news website said.

According to prosecutors, Morgan and Lichtenstein engaged in complex money-laundering techniques, including creating accounts under fictitious identities, moving the stolen proceeds in small amounts, and breaking up the trail of transactions by depositing and withdrawing funds from crypto exchanges and darknet markets. They purchased nonfungible tokens, gold and Walmart gift cards, court records show. 

At the time of the hack, the stolen Bitcoin was worth about US$71 million (S$95 million). Now it’s valued in the billions of dollars as the price of Bitcoin has surged from US$580 to more than US$90,000. The couple laundered 21 per cent of what was stolen in the Bitfinex hack, according to the government. BLOOMBERG

WASHINGTON – A U.S. Senate Judiciary subcommittee overseeing technology issues will hold a hearing Tuesday on Chinese hacking incidents, including a recent incident involving American telecom companies.

The hearing to be chaired by Senator Richard Blumenthal will review the threats “Chinese hacking and influence pose to our democracy, national security, and economy,” his office said, adding the senator plans “to raise concerns about Elon Musk’s potential conflicts of interest with China as Mr. Musk becomes increasingly involved in government affairs.”

Musk, the head of electric car company Tesla, social media platform X and rocket company SpaceX, emerged during the election campaign as a major supporter of U.S. President-elect Donald Trump. Trump appointed him as co-head of a newly created Department of Government Efficiency to “slash excess regulations, cut wasteful expenditures, and restructure Federal Agencies.”

Musk, who was in China in April and reportedly proposed testing Tesla’s advanced driver-assistance package in China by deploying it in robotaxis, did not immediately to requests for comment.

The hearing will include CrowdStrike Senior Vice President Adam Meyers and Telecommunications Industry Association CEO David Stehlin, Strategy Risks CEO Isaac Stone Fish and Sam Bresnick, research fellow at the Center for Security and Emerging Technology at Georgetown University,

Last week, U.S. authorities said China-linked hackers have intercepted surveillance data intended for American law enforcement agencies after breaking in to an unspecified number of telecom companies, U.S. authorities said on Wednesday.

The hackers compromised the networks of “multiple telecommunications companies” and stole U.S. customer call records and communications from “a limited number of individuals who are primarily involved in government or political activity,” according to a joint statement released by the FBI and the U.S. cyber watchdog agency CISA.

The announcement confirmed the broad outlines of previous media reports that Chinese hackers were believed to have opened a back door into the interception systems used by law enforcement to surveil Americans’ telecommunications.

It follows reports Chinese hackers targeted telephones belonging to then-presidential and vice presidential candidates Donald Trump and JD Vance, along with other senior political figures, raised widespread concern over the security of U.S. telecommunications infrastructure.

Beijing has repeatedly denied claims by the U.S. government and others that it has used hackers to break into foreign computer systems.

Last month, a bipartisan group of U.S. lawmakers asked AT&T, Verizon Communications and Lumen Technologies to answer questions about the reporting hacking of the networks of U.S. broadband providers. REUTERS

HELSINKI/STOCKHOLM – The Finnish and German governments on Monday said an investigation was under way of a severed fibre optic communications cable running on the Baltic seabed and linking the two countries, and they cited concerns about the security of critical infrastructure.

The 1,200 km (745 miles) fibre optic cable running through the Baltic Sea from Helsinki, Finland’s capital, to the German port of Rostock may have been severed by an outside force, Finnish state-controlled cyber security and telecoms network company Cinia said.

The C-Lion1 cable malfunctioned just after 0200 GMT, the company said.

The Finnish and German foreign ministries said in a joint statement that they were “deeply concerned” by the severed cable and that a thorough investigation was underway.

“Our European security is not only under threat from Russia’s war of aggression against Ukraine, but also from hybrid warfare by malicious actors,” they said. “Safeguarding our shared critical infrastructure is vital to our security and the resilience of our societies.”

The sudden outage implied that the cable was completely severed by an outside force, although a physical inspection has not yet been conducted, Cinia’s chief executive, Ari-Jussi Knaapila, told a press conference.

The damage occurred near the southern tip of Sweden’s Oland island and could typically take between five and 15 days to repair, he added.

Cinia said it was working with authorities to investigate the incident.

Swedish public service broadcaster SVT reported that Swedish authorities were also investigating damage to a communications cable running between Lithuania and Sweden, close to the one that was severed.

“It is absolutely central that it is clarified why we currently have two cables in the Baltic Sea that are not working,” Carl-Oskar Bohlin, minister of civil defence, told SVT.

The Swedish government did not immediately reply to Reuters’ request for comment.

Last year a subsea gas pipeline and several telecoms cables running along the bottom of the Baltic Sea were severely damaged in an incident raising alarm bells in the region.

Finnish police investigating the 2023 case have named a Chinese container ship believed to have dragged its anchor as a prime suspect, but have not said whether the damage was believed to be accidental or intentional.

In 2022 the Nord Stream gas pipelines linking Russia to Germany in the Baltic Sea were destroyed by explosions in a case that remains under investigation by German authorities. REUTERS

HELSINKI – A fibre optic communications cable linking Finland and Germany along the seabed has stopped working and may have been severed by an outside force, Finnish state-controlled cyber security and telecoms network company Cinia said on Monday.

The 1,200 km (745 miles) C-Lion1 cable running through the Baltic Sea from Finland’s capital Helsinki to the German port of Rostock malfunctioned just after 0200 GMT, the company said.

The sudden outage implied that the cable was completely severed by an outside force, although a physical inspection has not yet been conducted, Cinia’s Chief Executive Ari-Jussi Knaapila told a press conference.

The damage occurred near the southern tip of Sweden’s Oland island and could typically take between five and 15 days to repair, he added.

Cinia said it was working with authorities to investigate the incident.

Last year a subsea gas pipeline and several telecoms cables running along the bottom of the Baltic Sea were severely damaged in an incident raising alarm bells in the region.

Finnish police investigating the 2023 case have named a Chinese container ship believed to have dragged its anchor as a prime suspect, but have not said whether the damage was believed to be accidental or done with intention.

In 2022 the Nord Stream gas pipelines linking Russia to Germany in the Baltic Sea were destroyed by explosions in a case that remains under investigation by German authorities. REUTERS

NEW YORK – T-Mobile’s network was among the systems hacked in a damaging Chinese cyber-espionage operation that gained entry into multiple US and international telecommunications companies, The Wall Street Journal reported on Nov 15, citing people familiar with the matter.

Hackers linked to a Chinese intelligence agency were able to breach T-Mobile as part of a months-long campaign to spy on the cellphone communications of high-value intelligence targets, the Journal added, without saying when the attack took place.

“T-Mobile is closely monitoring this industry-wide attack,” a company spokesperson told Reuters in an email.

“At this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information.”

It was unclear what information, if any, was taken about T-Mobile customers’ calls and communications records, according to the WSJ report.

On Nov 13, The Federal Bureau of Investigation (FBI) and the US cyber watchdog agency Cisasaid China-linked hackers have intercepted surveillance data intended for American law enforcement agencies after breaking into an unspecified number of telecom companies.

Earlier in October, the Journal reported that Chinese hackers accessed the networks of US broadband providers, including Verizon Communications, AT&T and Lumen Technologies, and obtained information from systems the federal government uses for court-authorized wiretapping.

Beijing has previously denied claims by the US government and others that it has used hackers to break into foreign computer systems. REUTERS

WASHINGTON – The mastermind behind one of the biggest-ever Bitcoin heists was ordered to serve five years in prison for conspiring with his social-media rapper wife to launder money he stole by hacking into the Bitfinex exchange and grabbing cryptoassets now worth billions of dollars.

Ilya “Dutch” Lichtenstein was sentenced in Washington on Nov 14, after he and his wife, Heather Morgan, pleaded guilty last year in a scheme to hide proceeds from the 2016 hack. Morgan, known as “Razzlekhan” in her rap videos, will be sentenced Nov 18. The government recommended an 18-month sentence for her.  

Lichtenstein, 37, faced as long as 20 years behind bars. But the government cited his substantial assistance that “has benefited numerous investigations.” The Bitfinex hack resulted in the theft of 119,754 Bitcoin worth about US$71 million (S$23 million) at the time. But since then, the token has surged from US$580 in 2016 to more than US$90,000 this week, boosting the value of the assets to billions. 

“This is so massive, it is not comparable to other crypto crimes” based on its scale and complexity, US District Judge Colleen Kollar-Kotelly said before sentencing. Lichtenstein carried out his scheme over several years, which undermines defense claims that his actions were “impulsive,” the judge said.  

Lichtenstein, a “highly skilled computer expert,” used several hacking techniques to gain access to the Bitfinex network, and then, in August 2016, fraudulently authorised more than 2,000 transactions to move Bitcoin to a cryptocurrency wallet he controlled, the government said. 

He and his wife used sophisticated and meticulous money-laundering techniques to hide the stolen proceeds, including setting up accounts under fictitious identities, moving funds in small amounts, and breaking up the trail of transactions by depositing and withdrawing funds from crypto exchanges and darknet markets. They bought nonfungible tokens, gold and Walmart gift cards, according to the government. 

Lichtenstein “became one of the greatest money launderers that the government has encountered in the cryptocurrency space,” prosecutors wrote in an October sentencing memo. “If the defendant were to take what he has learned from this prosecution and incorporate it into a future money laundering scheme, he would be even better-equipped to conceal his activity while monetizing his crimes,” they wrote. 

Since his plea last year, Lichtenstein has assisted the government in other criminal cases, including as a government witness in a money-laundering trial involving a mixing service called Bitcoin Fog. 

Other hacks

While Lichtenstein had no official criminal history before his arrest in 2022, the Bitfinex hack wasn’t his first, the government said. As a juvenile, he experimented with hacking and financial fraud, and around 2015, he illegally transferred a small amount of PayCoin, an alternative form of virtual currency, prosecutors said. The following year, he stole about US$200,000 from a virtual currency exchange, the government said.

But he also worked in legitimate businesses. While in college, Lichtenstein ran a digital marketing agency from his dorm, and after graduation, a software company he co-founded grew to 30 employees, the government said. 

“His decision to use his skills for criminal ends is thus particularly disappointing, but it gives hope for continued successful rehabilitation,” prosecutors said in the sentencing memo. 

Morgan attended her husband’s sentencing, along with Lichtenstein’s family. Lichtenstein expressed remorse to the judge and pledged that he would use his skills to help with cybersecurity. “I can make a real difference in the fight against cybercrime,” he said. 

He asked that his wife avoid prison time. “Heather is only involved in this case because of me,” he said. BLOOMBERG

WASHINGTON – A previously confidential directive by Biden administration lawyers lays out how military and spy agencies must handle personal information about Americans when using artificial intelligence, showing how the officials grappled with trade-offs between civil liberties and national security.

The results of that internal debate also underscore the constraints and challenges the government faces in issuing rules that keep pace with rapid advances in technology, particularly in electronic surveillance and related areas of computer-assisted intelligence gathering and analysis.

The administration had to navigate two competing goals, according to a senior administration official Joshua Geltzer, the top legal adviser to the National Security Council, “harnessing emerging technology to protect Americans, and establishing guardrails for safeguarding Americans’ privacy and other considerations”.

The White House last month held back the four-page, unclassified directive when President Joe Biden signed a major national security memo that pushes military and intelligence agencies to make greater use of AI within certain guardrails.

After inquiries from The New York Times, the White House has made the guidance public. A close read and an interview with Mr Geltzer, who oversaw the deliberations by lawyers from across the executive branch, offers greater clarity on the current rules that national security agencies must follow when experimenting with using AI.

Training AI systems requires feeding them large amounts of data, raising a critical question for intelligence agencies that could influence both Americans’ private interests and the ability of national security agencies to experiment with the technology.

When an agency acquires an AI system trained by a private sector firm using information about Americans, is that considered “collecting” the data of those Americans?

The guidance says that does not generally count as collecting the training data – so those existing privacy-protecting rules, along with a 2021 directive about collecting commercially available databases, are not yet triggered.

Still, the Biden team was not absolute on that question. The guidance leaves open the possibility that acquisition might count as collection if the agency has the ability to access the training data in its original form, “as well as the authorisation and intent to do so.” NYTIMES

WASHINGTON – China-linked hackers have intercepted surveillance data intended for American law enforcement agencies after breaking in to an unspecified number of telecom companies, US authorities said on Nov 13.

The hackers compromised the networks of “multiple telecommunications companies” and stole US customer call records and communications from “a limited number of individuals who are primarily involved in government or political activity”, according to a joint statement released by the Federal Bureau of Investigation (FBI) and the US cyber watchdog agency CISA.

The two agencies said the hackers also copied “certain information that was subject to US law enforcement requests pursuant to court orders”.

The statement gave few other details, and the Cybersecurity and Infrastructure Security Agency immediately responded to a request for comment.

The FBI declined to comment.

The announcement confirms the broad outlines of previous media reports, especially those in the Wall Street Journal, that Chinese hackers were feared to have opened a back door into the interception systems used by law enforcement to surveil Americans’ telecommunications.

That, combined with reports that Chinese hackers had targeted telephones belonging to then-presidential and vice-presidential candidates Donald Trump and J.D. Vance, along with other senior political figures, raised widespread concern over the security of America’s telecommunications infrastructure.

The matter is already slated for investigation by the Department of Homeland Security’s Cyber Safety Review Board, which was set up to analyse the causes and fallout of major digital security incidents.

The Chinese Embassy in Washington did not immediately return a message seeking comment. Beijing routinely denies US hacking allegations. REUTERS

We spend so much of our lives online but have we thought about what will happen to our digital trails and assets when we die?

It is a question that came up for husband-and-wife content creators Muhammad Alif Ramli and Liyana Syahirah Ismail Johari.

DEATH_TALK_EP4_LONGFORM.3695ae19.jpg Content creators Liyana Syahirah Ismail Johari and Muhammad Alif Ramli documented their journey in seeking help to manage digital assets.

They realise, for example, if no clear instructions are left behind, not knowing the passwords or about dormant accounts on long-forgotten platforms can pose problems.

It is especially important, given Mr Alif’s medical history.

When Mr Alif was 10, he was diagnosed with rhabdomyosarcoma, a soft tissue cancer. He underwent multiple chemotherapy cycles and nine surgical operations, which the 28-year-old described as a “close-to-death experience”, before he recovered.

In the fourth episode of The Straits Times’ docuseries Let’s Talk About Death, Mr Alif and Ms Liyana, 27, seek help from experts to consolidate their digital assets.

They speak to a cyber security expert to find out how to best manage their passwords. They also talk to a lawyer who specialises in digital assets to look into protecting their social media accounts, which may generate revenue in the future.

Finally, Mr Alif and Ms Liyana also attempt to write their wills with the help of artificial intelligence tools, with the key question being: Will they be valid under syariah law?

Let’s Talk About Death is a five-episode docuseries that follows several millennials and their loved ones as they navigate end-of-life planning, and it starts honest conversations about death and dying well.