Salt Typhoon Settles In: So What?
11–14–2024 (Thursday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, November 12, 2024, and - as the theme goes in this show and in cybersecurity - everything old is new again. New again today? Salt Typhoon.
Salt Typhoon Settles In: So What?
We talked last week about nation-state threats, and I’ve urged you before on this show to ignore those headlines and focus on the things that more directly impact us here at the middle market.
I realize it’s a little off-brand, then, to bring back up another Chinese nation-state hacking group, but it’s hard to ignore headlines like this one from the Wall Street Journal: “U.S. Agency Warns Employees About Phone Use Amid Ongoing China Hack.”
Indeed, officials from the Consumer Financial Protection Bureau here in the US “warned that internal and external work-related meetings and conversations that involve nonpublic data should only be held on platforms such as Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.”
As a reminder, the threat here is Chinese threat actors dubbed “Salt Typhoon” by Microsoft, who have breached US telecommunications providers using their mandated access points installed after 9/11 to facilitate lawful intercepts.
The reason that other modalities (Teams, WebEx, iMessage, Signal, WhatsApp, etc.) are not vulnerable here is something known as E2EE - or End to End Encryption. This means, in short, that even if the attacker is on the wire, they can’t decode the content of the message - at most they can get metadata (who was contacting who, when, and what the size of that contact was).
While metadata can still be plenty revealing, the core function of keeping these communications secure seems to be holding for these end-to-end encrypted platforms. I won’t open the can of quantum computing here, which threatens to decrypt those channels who aren’t using a so-called “Quantum Safe” encryption algorithm.
But to refocus some, the pattern here is one that we can genericize and benefit from considering. What do I mean by that? Just that we’re back to the notion of everything old is new again - encrypting data in transit has long-been a featured control in whatever framework your organization uses.
Unfortunately, legacy technology isn’t always built with security in mind, hence the vulnerability of things like SMS messages and phone calls.
Keeping your communication secure is important whether you’re facing down Chinese hackers or any other number of threats. Fortunately, modern platforms make this a solved problem, including managing the keys and other encryption mechanisms. And, beyond that, some providers in this space are betting on this functionality being a differentiator (e.g. Apple, Signal), meaning it’s likely to be here to stay.
I think the big lesson for us here is that we need to continue to be vigilant with our data in-transit, even when that data is a phone call. I don’t think there’s reason to be paranoid, but if the choice for a sensitive conversation is a phone call or a Teams call, that extra bit of encryption can make the difference - and your users can mostly use this function without meaningful behavior change on their existing devices, including mobile phones.
As we continue to say, being brilliant at the basics is where it all starts - and protecting data in transit certainly falls into that bucket.
Fundraising
From a fundraising perspective, we’re back to more realistic numbers after last week’s moonshot, with only $2.6B in newly committed capital.
We did see a couple of pieces in the Wall Street Journal that caught our eye, including a forward-looking post-election piece asserting that ‘Private Equity Gears Up for Deals to Take Off’ and another noting that ‘Private Equity’s Promise Excites Some Wealth Advisers but Leaves Others Cold’.
Regardless of which side of that coin you come out on, the PE market seems to think that transactions are going to tick up moving forward, and there’s certainly plenty of dry powder to support that hypothesis.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.wsj.com/articles/private-equity-gears-up-for-deals-to-take-off-5995abc0