serisec

Category: national security policy

  • On Microsoft’s Lousy Cloud Security

    On Microsoft’s Lousy Cloud Security ProPublica has a scoop: In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings. The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an…

  • US Bans All Foreign-Made Consumer Routers

    US Bans All Foreign-Made Consumer Routers This is for new routers; you don’t have to throw away your existing ones: The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be…

  • Is “Hackback” Official US Cybersecurity Strategy?

    Is “Hackback” Official US Cybersecurity Strategy? The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone. But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary…

  • Jailbreaking the F-35 Fighter Jet

    Jailbreaking the F-35 Fighter Jet Countries around the world are becoming increasingly concerned about their dependencies on the US. If you’ve purchase US-made F-35 fighter jets, you are dependent on the US for software maintenance. The Dutch Defense Secretary recently said that he could jailbreak the planes to accept third-party software. Bruce Schneier Go to…

  • US Declassifies Information on JUMPSEAT Spy Satellites

    US Declassifies Information on JUMPSEAT Spy Satellites The US National Reconnaissance Office has declassified information about a fleet of spy satellites operating between 1971 and 2006. I’m actually impressed to see a declassification only two decades after decommission. Bruce Schneier Go to bruce schneier

  • The Constitutionality of Geofence Warrants

    The Constitutionality of Geofence Warrants The US Supreme Court is considering the constitutionality of geofence warrants. The case centers on the trial of Okello Chatrie, a Virginia man who pleaded guilty to a 2019 robbery outside of Richmond and was sentenced to almost 12 years in prison for stealing $195,000 at gunpoint. Police probing the…

  • A Cyberattack Was Part of the US Assault on Venezuela

    A Cyberattack Was Part of the US Assault on Venezuela We don’t have many details: President Donald Trump suggested Saturday that the U.S. used cyberattacks or other technical capabilities to cut power off in Caracas during strikes on the Venezuelan capital that led to the capture of Venezuelan President Nicolás Maduro. If true, it would…

  • White House Bans WhatsApp

    White House Bans WhatsApp Reuters is reporting that the White House has banned WhatsApp on all employee devices: The notice said the “Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved…

  • US as a Surveillance State

    US as a Surveillance State Two essays were just published on DOGE’s data collection and aggregation, and how it ends with a modern surveillance state. It’s good to see this finally being talked about. Bruce Schneier Go to bruce schneier

  • CVE Program Almost Unfunded

    CVE Program Almost Unfunded Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of…

  • Arguing Against CALEA

    Arguing Against CALEA At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades,…

  • DIRNSA Fired

    DIRNSA Fired In “Secrets and Lies” (2000), I wrote: It is poor civic hygiene to install technologies that could someday facilitate a police state. It’s something a bunch of us were saying at the time, in reference to the vast NSA’s surveillance capabilities. I have been thinking of that quote a lot as I read…

  • DOGE as a National Cyberattack

    DOGE as a National Cyberattack In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national…

  • US Treasury Department Sanctions Chinese Company Over Cyberattacks

    US Treasury Department Sanctions Chinese Company Over Cyberattacks From the Washington Post: The sanctions target Beijing Integrity Technology Group, which U.S. officials say employed workers responsible for the Flax Typhoon attacks which compromised devices including routers and internet-enabled cameras to infiltrate government and industrial targets in the United States, Taiwan, Europe and elsewhere. Bruce Schneier…

  • The Scale of Geoblocking by Nation

    The Scale of Geoblocking by Nation Interesting analysis: We introduce and explore a little-known threat to digital equality and freedom­websites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to information in repressive regimes. Clarifying distinctions between free and paid websites, allowing trunk cables to repressive states, enforcing…