The UK alarmed lawmakers, security experts, journalists, activists, and more when it was revealed that it ordered Apple to provide access to iCloud backups for ALL iPhone users, not just those of British citizens. The order—which was issued in secret and is immediately legally binding—is viewed by virtually all as a massive overreach and a dangerous precedent that will weaken cybersecurity for all.

Senator Ron Wyden and Congressman Andy Biggs have written a bipartisan letter to Director Gabbard, urging her to take immediate action to protect U.S. communications and the privacy of American citizens.

“If the U.K. does not immediately reverse this dangerous effort, we urge you to reevaluate U.S.-U.K. cybersecurity arrangements and programs as well as U.S. intelligence sharing with the U.K.,” Wyden and Biggs wrote. “The bilateral U.S.-U.K. relationship must be built on trust. If the U.K. is secretly undermining one of the foundations of U.S. cybersecurity, that trust has been profoundly breached.”

The lawmakers go on to point out the shortsightedness of undermining end-to-end encryption (E2EE), especially in the aftermath of China’s Salt Typhoon attack, what Senator Warner described as the “worst telecom hack in” in U.S. history.

In the wake of the Salt Typhoon attack, both the FBI and CISA recommended that all users rely on E2EE messaging platforms to secure their communication and maintain privacy.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” said Jeff Greene, an executive assistant director for cybersecurity at CISA.

If U.K. lawmakers get their way, the protection E2EE offers will be completely negated, leaving users vulnerable to cyberattacks and more. Because of the stakes, Wyden and Biggs are urging Director Gabbard to take extreme action, including reevaluating the U.S.-U.K. cybersecurity and data sharing agreements.

The lawmakers also point to Director Gabbard’s testimony during her confirmation hearings, in which she said that backdoors lead down a dangerous path that can undermine Americans’ Fourth Amendment rights and civil liberties.” They also referenced her written statements that “[m]andating mechanisms to bypass encryption or privacy technologies undermines user security, privacy, and trust and poses significant risks of exploitation by malicious actors.”

The lawmakers are clearly hoping that Director Gabbard lives up to her testimony and sends a strong signal to the U.K. that weakening the very encryption that protects innocent users around the world is an unacceptable course of action.

The Lawmakers’ Letter

Wyden and Biggs’ letter is copied below in its entirety:

Dear Director Gabbard:

We write to urge you to act decisively to protect the security of Americans’ communications from dangerous, shortsighted efforts by the United Kingdom (U.K.) that will undermine Americans’ privacy rights and expose them to espionage by China, Russia and other adversaries.

According to recent press reports, the U.K.’s Home Secretary served Apple with a secret order last month, directing the company to weaken the security of its iCloud backup service to facilitate government spying. This directive reportedly requires the company to weaken the encryption of its iCloud backup service, giving the U.K. government the “blanket capability” to access customers’ encrypted files. This order was reportedly issued under the U.K.’s Investigatory Powers Act 2016, commonly known as the “Snoopers’ Charter,” which does not require a judge’s approval. Apple is reportedly gagged from acknowledging that it received such an order, and the company faces criminal penalties that prevent it from even confirming to the U.S. Congress the accuracy of these press reports.

These reported actions seriously threaten the privacy and security of both the American people and the U.S. government. Apple does not make different versions of its encryption software for each market; Apple customers in the U.K. use the same software as Americans. If Apple is forced to build a backdoor in its products, that backdoor will end up in Americans’ phones, tablets, and computers, undermining the security of Americans’ data, as well as of the countless federal, state and local government agencies that entrust sensitive data to Apple products.

The Salt Typhoon hack of U.S. telephone carriers’ wiretapping systems last year — in which President Trump and Vice President Vance’s calls were tapped by China — provides a perfect example of the dangers of surveillance backdoors. They will inevitably be compromised by sophisticated foreign adversaries and exploited in ways harmful to U.S. national security. As the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI confirmed last November, People’s Republic of China (PRC)-affiliated actors were involved in “copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”

The risk does not just come from wiretapping systems — when sensitive data is stored by third parties, without end-to-end encryption, it is vulnerable to theft when those service providers are hacked. That is exactly what has happened in 2023, when PRC-affiliated hackers broke into Microsoft’s systems storing federal agencies’ emails. As the Department of Homeland Security’s Cyber Safety Review Board documented, the foreign spies “struck the espionage equivalent of gold,” enabling them to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China” and “downloaded approximately 60,000 emails from State Department alone.”

After years of senior U.S. government officials — from both Republican and Democratic Administrations — pushing for weaker encryption and surveillance backdoors, it seems that the U.S. government has finally come around to a position we have long argued: strong end-to-end encryption protects national security. Indeed, in the wake of the Salt Typhoon hack, CISA released public guidance which recommended that high-value targets, including Members of Congress, solely use end-to-end encrypted communications tools, like Signal.

While the U.K has been a trusted ally, the U.S. government must not permit what is effectively a foreign cyberattack waged through political means. If the U.K. does not immediately reverse this dangerous effort, we urge you to reevaluate U.S.-U.K. cybersecurity arrangements and programs as well as U.S. intelligence sharing with the U.K. As the U.K. Parliament’s intelligence oversight committee described in a December, 2023 public report, the U.K. benefits greatly from a “mutual presumption towards unrestricted sharing of [Signals Intelligence]” between the U.S. and U.K. and that “[t]he weight of advantage in the partnership with the [National Security Agency] is overwhelmingly in [the U.K.’s] favour.” The bilateral U.S.-U.K. relationship must be built on trust. If the U.K. is secretly undermining one of the foundations of U.S. cybersecurity, that trust has been profoundly breached.

You stated at your confirmation hearing that “backdoors lead down a dangerous path that can undermine Americans’ Fourth Amendment rights and civil liberties.” And you wrote in response to a written question that “[m]andating mechanisms to bypass encryption or privacy technologies undermines user security, privacy, and trust and poses significant risks of exploitation by malicious actors.” We urge you to put those words into action by giving the U.K. an ultimatum: back down from this dangerous attack on U.S. cybersecurity, or face serious consequences. To inform ongoing Congressional oversight, please also provide us with unclassified answers to the following questions by March 3, 2025:

1. Was the Trump Administration made aware of this reported order, either by the U.K. or Apple, prior to the press reports and, if so, when and by whom?
2. What is the Trump Administration’s understanding of U.K. law and the bilateral CLOUD Act agreement with regard to an exception to gag orders for notice to the U.S. government?
3. What is the Trump Administration’s understanding of its obligation to inform Congress and the American public about foreign government demands for U.S. companies to weaken the security of their products, pursuant to the CLOUD Act?

Sincerely,

Ron Wyden
United States Senator

Andy Biggs
Member of Congress

CC: Mr. Peter Mandelson, British Ambassador

According to The Washington Post, the UK government issued Apple a legally binding order to provide access to all iPhone cloud backups, including those protected by the company’s Advanced Data Protection, a feature that uses end-to-end encryption (E2EE).

The UK is not asking Apple to hack specific accounts or aid law enforcement in specific investigations. Instead, the British government is asking Apple to create a backdoor or bypass so that it can decrypt and access the encrypted content of any iPhone user who relies on iCloud backup, regardless of whether they are a British citizen or a citizen of another country.

To be clear, this puts the UK squarely in a league of its own, going far beyond what China or Russia require. To make matters worse, the UK’s order makes it illegal for anyone within Apple to even disclose its existence—since absolutely, without a doubt, undeniably, absolute secrecy has always been the hallmark of perfectly legal legislation. The Post’s sources obviously believed the issue was a grave enough threat to be willing to risk the legal ramifications should they ever be identified.

Apple itself, within the bounds of what it legally could, tried to warn the world the UK was preparing to issue this order.

“There is no reason why the UK [government] should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption,” Apple told Parliament in March of last year.

At least one of the Post’s sources was a consultant tasked with advising the U.S. on encryption matters. The source confirmed that Apple would be legally prohibited from informing users their encryption had been bypassed and rendered useless. What’s more, the source expressed shock that the UK was essentially trying to force Apple to aid it in its efforts to spy on all users worldwide, regardless of citizenship.

The Encryption Issue

Encryption has been a long-standing point of contention between law enforcement and tech companies. Law enforcement and government officials often point to encryption as some kind of boogeyman that makes it impossible to conduct investigations into terrorism, child trafficking, and all other manners of horrible activities. To be clear, every reasonable effort should be made to combat such things.

Unfortunately, creating backdoors or otherwise undermining encryption is not a reasonable solution. As countless mathematicians, cryptographers, computer scientists, privacy advocates, computer experts, and even government officials have made clear, there is absolutely no way to weaken encryption for the good guys without also making it easier for the bad guys to exploit.

The U.S. recently learned this lesson the hard way, thanks to what Senator Mark R. Warner dubbed the “worst telecom hack in our nation’s history — by far.” China-backed Salt Typhoon hackers gained access to multiple U.S. telecom companies, giving them the ability to monitor phone calls and text messages at will.

In the wake of the attack, even the FBI and CISA have encouraged all users to rely on E2EE messaging platforms.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, an executive assistant director for cybersecurity at CISA. “Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”

What Happens Next

Apple has the right to appeal the UK’s decision, but the company must comply with the order while waiting on the outcome of an appeal. Like the entire process, Apple’s appeal will be in secret, as will the outcome.

In the meantime, if Apple moves forward and complies with the UK’s order, it would represent a major weakening of privacy and security for all iPhone users worldwide. It’s unclear if Apple could legally comply, given that the company is bound by the privacy laws and regulations of other jurisdictions. The EU’s privacy laws, in particular, may prohibit Apple from complying with the UK’s order, at least in the context of EU citizens.

In all likelihood, Apple will stop offering encrypted services within the UK if it is unable to successfully appeal the decision, an outcome that will leave all UK iPhone users in a far worse position, and compromise their ability to protect their private data at a time when bad actors are exploiting such data more than ever.

Unfortunately, it will likely take a Salt Typhoon-like attack on the UK before its government officials finally realize that strong encryption is the cornerstone of safe technology.

We hate to rain on your parade, but the cloud isn’t always sunny. Malware may be lurking nearby. We’re navigating the common types of cloud malware so your business is better prepared to handle potential cyber security threats.

Understanding Cloud Malware

Cloud malware is essentially the same as what can attack your physical network and systems. Your cloud is infected with malicious code. What the code does from there depends on the type of attack. Some malware holds your data hostage for ransom. Other types of malware can corrupt or steal your data.

Cloud malware attacks typically inject malicious code into your virtual system. Instead of code, the hackers may even insert malicious virtual machines into your network. Yep, it can cause a mess since the virtual machines are almost undetectable. In other words, the virtual machines mimic your existing ones.

Common Types of Cloud Malware Attacks

Cloud malware attacks are probably a bit more common than you realize. In 2022, around 79% of businesses reported a breach in their cloud. This doesn’t necessarily mean you’re destined to go through a cloud cyber attack. However, it does indicate you have a pretty good chance. So, what types of cloud malware attacks should you be watching for?

Distributed Denial of Service (DDoS) Attacks

This type of malware can be a particular problem for public clouds. Essentially, your server or network is being inundated with bots. These aren’t the friendly little chatbots that pop up on some web pages ready to help. These bots act like malicious traffic desperately trying to flood your network causing your cloud service to go offline. In other words, the bots are causing a denial of service.

The bots are generally only sending tons of requests to your IP address. By themselves, meaning only a few at a time, your network isn’t going to run into problems. However, when thousands of bots are all sending requests simultaneously, it’s easy to see why your cloud service is overrun.

Hypervisor DoS

Just when you start thinking about what can be worse than a DDoS attack, something else comes along. A hypervisor DoS attack is classified as a denial of service attack. However, there’s a pretty big difference between the two types of cloud malware.

This type of cyber attack only sends malware to either your hypervisor or virtual machine monitor. Once one of these is infected, it’s a breeze for the malware to spread to all of your host’s virtual machines. So, not only your cloud may be impacted but the bots can spread to others.

Hyperjacking

This almost sounds fun, except it’s illegal and can cause a ton of problems. A hacker can take over the hypervisor creating the cloud environments within the virtual machine. Yep, this sounds a bit confusing. So, essentially a hacker is controlling the hosting virtual machine.

Since they’re in the virtual machine, the malicious code is essentially undetectable unless someone is really searching for it. Your cloud host may not realize the malware is in their virtual machines until multiple systems and networks are infected. As we said earlier, it can cause a huge and expensive mess.

Hypercall Attack

This is a creative tactic hackers often use to access cloud environments. Posing as guests, hackers use a type of software trap to get into your domain. Great, now you have an uninvited guest you may not even be aware of.

Like Hyperjacking, hackers are aiming for your hypervisor. They’re just going about it a little differently. They’re going after the virtual machines using your hypercall handler instead of directly targeting the hypervisor. This makes the malware tough to detect even using AI and machine learning tools.

Taking Advantage of Live Migrations

Does your cloud service provider offer live migrations? This is a pretty standard service most businesses take advantage of. Live migrations let you move a cloud application from one physical location to another. You don’t need to disconnect from the app or client just to move to another spot. Pretty convenient isn’t it, especially for staff working in the field?

The downside of the convenience is it can open the doors a little bit for malware attacks. Hackers can use malware to redirect your cloud resources to their network. Now you’ve lost control of your systems and data to the hackers. Other threats during live migrations can include opening your cloud environment up to DoS and DDoS attacks. 

Even if nothing seems to happen during the live migration, hackers can still jump in and quickly modify your system. This modification leaves a back door open for them to visit just about any time they feel like. So, your data and systems are never fully safe until the malware is identified and removed.

Tips on Preventing Common Cloud Malware Attacks

Before deciding there’s no way you can defend against all cloud malware attacks, don’t forget about the advantages you get from the cloud. This doesn’t mean accepting the risks and getting on with business. Instead, you can take a couple of steps to help minimize your potential risks.

Pay Attention to Access Controls

Who has access to your system and networks? There shouldn’t be a welcome mat out for anyone who wants to browse around in your data. Limit access to data by using access controls like multi-factor authentication and encryption.

Keep all encryption keys safe and continuously rotate them out. Don’t ignore password strength and change them out regularly.

Partner with a Strong Cloud Service Provider

Finding a cloud service provider is as easy as locating a gas station. In other words, there isn’t a shortage of options. Before partnering with a cloud service provider check their cyber security practices. Preventing cloud malware attacks takes both you and your service provider. 

Individuals the world over use VPNs to thwart trackers, improve their privacy, as well as access geo-restricted content. Because they use they help users protect their privacy, many websites have taken to blocking users who rely on VPNs. As a result, users often have a choice between protecting their privacy or accessing their favorite website and services.

NordVPN hopes to solve this issues with its NordWhisper protocol.

So how does it work? NordWhisper is based on web tunnel technology, which operates differently from traditional VPN protocols like OpenVPN or WireGuard. Most VPN protocols have distinct characteristics, like specific traffic signatures and behaviors. These patterns can sometimes be recognized by network administrators, who may block them. While many protocols incorporate obfuscation techniques to counteract them, some network policies can still filter them out.

NordWhisper mimics regular web traffic, making it more difficult for network filters to identify it. Essentially, it blends in with ordinary internet activity, providing users with a reliable way to browse on restricted networks while maintaining the same strong encryption and security as other VPN protocols.

The company says the protocol should allow users to continue relying on NordVPN, even when on restricted networks.

The new NordWhisper protocol is designed specifically for situations where traditional VPN protocols are blocked by advanced network filters. These filters are typically applied to prevent VPN usage and may be found in public Wi-Fi hotspots with security filters, like those at airports, cafes, conferences, or other locations with managed internet access.

While standard protocols using obfuscation techniques are effective on networks that prevent access to essential services or public resources, NordWhisper steps in when VPN-specific blocks make connecting to these networks more challenging. This protocol ensures users can browse securely in restricted networks.

NordVPN does caution that NordWhisper could result in slower network traffic, although many users will likely view that as a small price to pay for increase privacy.

The company plans to roll it out first on Windows, followed by Android, Linux, and other platforms.

Once it’s available, you’ll find the option to manually select it within the VPN connection settings on the NordVPN app. So if you face connection issues due to network filters, try it out and see the difference.

While this approach provides much-needed flexibility, cost savings, and productivity enhancement, it comes with significant cybersecurity risks. While it’s not a bad policy to adopt, businesses that embrace a BYOD model need to implement tight security measures to safeguard their important data.

First things first – develop a comprehensive BYOD policy

It’s not good enough to simply tell new hires they can use a personal device if they prefer. It’s crucial to have a comprehensive BYOD policy that specifically addresses elements like security protocols, employee responsibilities, and consequences for ignoring the rules. 

Here are some tips for creating your BYOD policy:

·  Define which devices may be used for work. For example, you might allow tablets (but not smartphones), or laptops (but not tablets). Whatever devices you allow, require them to remain in a protective case at all times. Good cases are affordable, even for new phones like the S25.

·  Specify how each device is to be secured. At the very least, require antivirus software to be installed on every device. You can also require that devices use a password and biometric lock to prevent unauthorized access. Some companies require software that monitors activity or allows for wiping data remotely. You can also create a rule that prohibits employees from allowing other people to use their devices at any time, including friends and family.

·  Create a policy that complies with regulations. Depending on your industry, it might be too much of a security risk to allow anyone to use a personal device, but if not, implement rules that adhere to applicable regulations.

·  Establish a procedure for wiping data remotely. Have a plan for wiping data remotely if a device is lost or stolen, or if an employee leaves the company.

·  Have well–defined consequences. Nobody wants to be the bad guy, but you can’t afford to ignore non-compliance. Spell out the consequences for disregarding your BYOD policies and enforce them across the board without exception. If you make just one exception, people will let their guard down, knowing they can talk their way out of a write-up or termination.

·  Conduct regular security audits. Verify that rules are being followed by conducting regular audits.

·  Block app installations. Implement software that won’t allow unauthorized apps to be installed. This may force some employees to opt out, but it’s safer for your company.

Implement a device management solution

Don’t hesitate to use software that monitors, manages, and secures your employees’ BYOD devices. It’s the only way to maintain control over your data and accounts. Employees may not like the idea of having their personal devices monitored or controlled, but personal devices come with big risks. 

If they want the convenience of being able to use their personal smartphone or laptop, they need to agree to your rules. Otherwise, they’ll need to buy a dedicated personal device or use a company-issued device.

Require encryption for data and traffic

Encrypt all data on the device’s hard drive. It’s good practice to prohibit the use of public Wi-Fi networks, but if you can’t get around that, require employees to use a VPN.

Don’t allow company-issued devices to become personal devices

In addition to securing personal devices, you also need to prevent company-issued devices from turning into personal devices. The easiest way to prevent this is to prohibit taking work devices home.

Train employees on security best practices

Cybersecurity training is crucial, but it only works when it’s thorough and ongoing. Start conducting regular training sessions to educate employees about potential threats specifically related to BYOD. For example, you’ll need to get them thinking about phishing schemes, advanced social engineering techniques, and the importance of installing antivirus updates as soon as they’re available.

Back up data regularly

You can’t rely on employees to back up their data on a regular basis. Even if it’s written into your company policy, backups are often too tedious for the average employee to manage. Instead, implement solutions that create automatic backups wherever they work. 

For example, anything employees do in the cloud – like adding, editing, or deleting documents – should create an automatic record and backup. A great example is how Box maintains access to older versions of documents.

It’s about awareness, training, and strict policies

Once you have a strict BYOD cybersecurity policy, foster a culture of security awareness where employees understand their role in preventing cybersecurity incidents. Your employees will be more likely to follow the rules, and the risk to your business will decrease.

DeepSeek took the tech industry by storm with its AI models rivaling the best the US can offer at a fraction of the cost as its larger rivals, with reports putting the cost at a mere 3-5%. The fallout has seen tech stocks tank on fears that US AI firms are overvalued.

DeepSeek’s success is also a damning indictment of the United States’ current policy of trying to restrict advanced AI chips to Chinese firms. Despite regulators’ best efforts, DeepSeek managed to build a highly competitive model despite not having access to the same quality and quantity of chips as US firms.

With its rising status, DeepSeek is dealing with the dark side that comes along with it. According to CNBC, the startup says it is temporarily limiting registration “due to large-scale malicious attacks.” The company says existing users will be able to continue using the service, and that only new registrations are currently impacted.

It’s unclear at this time where the attacks are originating from, or what will be necessary to curb the attacks.

In its complaint, the FTC cites GoDaddy’s marketing “itself as a secure choice for customers to host their websites,” as well as “its commitment to data security and careful threat monitoring practices.” Unfortunately, according to the complaint, GoDaddy failed to live up to its own hype.

In fact, GoDaddy’s data security program was unreasonable for a company of its size and complexity. Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats. In particular, GoDaddy failed to: (a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e) log security-related events; (f) monitor for security threats, including by failing to use software that could actively detect threats from its many logs, and failing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data. These failures made GoDaddy’s representations about security false or misleading.

According to the FTC, these security inadequacies led to multiple data breaches.

As a result of GoDaddy’s data security failures, it experienced several major compromises of its hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to its customers’ websites and data, causing harm to its customers and putting them and visitors to their websites at risk of further harm. GoDaddy’s customers and other consumers could not avoid this harm, and it is not outweighed by benefits to consumers or competition. Even after these compromises of its environment, GoDaddy continues to struggle to gain visibility into its hosting environment and adequately monitor it for threats.

The FTC also calls out GoDaddy for misrepresenting its compliance with the EU-U.S> Privacy Shield framework that regulates the transfer of personal data between the EU and the U.S.

The Department of Commerce (“Commerce”) and the European Commission negotiated the EU-U.S. Privacy Shield framework to provide a mechanism for companies to transfer personal data from the European Union to the United States in a manner consistent with the requirements of European Union law on data protection. The Swiss-U.S. Privacy Shield framework is identical to the EU-U.S. Privacy Shield framework.

To join the EU-U.S. and/or Swiss-U.S. Privacy Shield framework, a company must certify to the United States Department of Commerce that it complies with the Privacy Shield Principles. Participating companies must annually re-certify their compliance. The Privacy Shield frameworks expressly provide that, while decisions by organizations to “enter the Privacy Shield are entirely voluntary, effective compliance is compulsory: organizations that self-certify to the Department and publicly declare their commitment to adhere to the Principles must comply fully with the Principles.”

In particular, companies claiming to adhere to the regulation must meet certain criteria.

Companies under the jurisdiction of the FTC are eligible to join the EU-U.S. and/or Swiss-U.S. Privacy Shield framework. Both frameworks warn companies that claim to have self-certified to the Privacy Shield Principles that failure to comply or otherwise to “fully implement” the Privacy Shield Principles “is enforceable under Section 5 of the Federal Trade Commission Act.”

The Privacy Shield Principles include the following: SECURITY [Principle 4]: (a) Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.

In spite of its obligation to provide reasonable security, the FTC goes on to highlight multiple areas in which GoDaddy failed to do that. The company is accused of failing to adequately inventory and manage its computer assets, failing to apply security patches, failing to address the risks involved in its Shared Hosting packages, failing to properly log security-related events, and failing to adequately engage in security monitoring.

GoDaddy is also accused of not implementing multi-factor authentication, relying on username/password authentication for SSH access instead of more secure authentication methods, and failing to properly segment and isolate its Shared Hosting environment.

As a result of these lapses, GoDaddy has suffered multiple breaches over the years. In addition to the damage caused by the theft of sensitive information, the FTC says GoDaddy customers, as well as others, have suffered as a result of the company’s poor security practices.

GoDaddy’s Shared Hosting customers have also spent time and effort protecting themselves from the consequences of GoDaddy’s practices, including time spent resetting account credentials, restoring compromised websites and certificates, addressing their own customers’ concerns, and other remediation in light of the security incidents described above.

GoDaddy’s Shared Hosting customers are not able to avoid the consequences of GoDaddy’s security failures. Shared Hosting customers do not know detailed information about GoDaddy’s security controls, including which security controls or tools GoDaddy does not use in its Shared Hosting environment. In addition, as described in Paragraphs 12-19, GoDaddy has represented that it provided reasonable security for the Shared Hosting environment, and that it meticulously monitored the environment for security threats.

Consumers who have interacted with GoDaddy’s customers’ websites have also not been able to avoid the consequences of GoDaddy’s security failures. In most cases, consumers who visit GoDaddy’s customers’ sites are unaware that they are interacting with a site or service hosted by GoDaddy.

The harm that GoDaddy’s security failures have caused or are likely to cause is not offset by countervailing benefits to consumers or competition. GoDaddy could have remediated its failures using well-known and low-cost technologies and techniques.

The FTC’s complaint should be a wake-up call to GoDaddy, and will hopefully lead the company to make significant changes to its security and privacy model.

Ransomware has emerged as one of the greatest cybersecurity threats, thanks mainly to the huge financial upside for ransomware groups. Attacks target individuals, businesses, and organizations, often using social engineering to convince an unsuspecting user to install malware, which then encrypts their files until they pay a ransom for the decryption key. Advanced malware is designed to infiltrate entire networks—including backups if possible—crippling entire organizations in one fell swoop.

Cybersecurity experts and government agencies around the world have warned that paying ransoms make the situation worse by increasing the incentives for bad actors to continue their activities. Unfortunately, few companies follow the advice to not pay, prioritizing becoming operational again.

The Home Office appears to be ready to force the issue, at least with public sector bodies and critical infrastructure, consulting on proposal to ban them from making payments. The government laid out its intentions in a news brief.

Aiming to strike at the heart of the cybercriminal business model and protect UK businesses by deterring threats, proposals include banning all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, from making ransomware payments, in order to make them unattractive targets for criminals. This is an expansion of the current ban on payments by government departments.

This is in addition to making it mandatory to report ransomware incidents, to boost intelligence available to law enforcement and help them disrupt more incidents.

The Home Office-led consultation will focus on three proposals:

1. A targeted ban on ransomware payments for all public sector bodies and critical national infrastructure – expanding the existing ban on ransomware payments by government departments, and making the essential services the country relies on the most unattractive targets for ransomware crime.
2. A ransomware payment prevention regime – increasing the National Crime Agency’s (NCA) awareness of live attacks and criminal ransom demands, providing victims with advice and guidance before they decide how to respond, and enabling payments to known criminal groups and sanctioned entities to be blocked.
3. A mandatory reporting regime for ransomware incidents – bringing ransomware out of the shadows and maximising the intelligence used by UK law enforcement agencies to warn of emerging ransomware threats, and target their investigations on the most prolific and damaging organised ransomware groups.

“Driving down cybercrime is central to this government’s missions to reduce crime, deliver growth, and keep the British people safe,” said Security Minister Dan Jarvis.

“With an estimated $1 billion flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this government’s Plan for Change is built. These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate.

“Today marks the beginning of a vital step forward to protect the UK economy and keep businesses and jobs safe.”

National Cyber Security Centre CEO Richard Horne underscored the importance of protecting the UK from cyberattacks:

“This consultation marks a vital step in our efforts to protect the UK from the crippling effects of ransomware attacks and the associated economic and societal costs,” said Horne.

“Organisations of all sizes need to build their defences against cyber attacks such as ransomware, and our website contains a wealth of advice tailored to different organisations. In addition, using proven frameworks like Cyber Essentials, and free services like NCSC’s Early Warning, will help to strengthen their overall security posture.

“And organisations across the country need to strengthen their ability to continue operations in the face of the disruption caused by successful ransomware attacks. This isn’t just about having backups in place: organisations need to make sure they have tested plans to continue their operations in the extended absence of IT should an attack be successful, and have a tested plan to rebuild their systems from backups.”

Salt Typhoon is a Beijing-backed hacking group responsible for the ““worst telecom hack in our nation’s history — by far.” The group has compromised at least nine US telecoms companies, giving China the ability to read text messages and listen to phone calls.

“My hair’s on fire,” said Senator Mark R. Warner, chairman of the Senate Intelligence Committee. He went to say “the American people need to know” the gravity of the situation.

“This is an ongoing effort by China to infiltrate telecom systems around the world, to exfiltrate huge amounts of data,” he added.

While the spying has largely been restricted to persons of political interest, especially in the D.C. area, there’s virtually no limit to what messages or calls Salt Typhoon can access. To make matters worse, security experts have struggled to remove the group’s access and lock them out of the telecom networks.

The revelation has caused the FBI and CISA to recommend that all individuals use Signal, WhatsApp, or another end-to-end encrypted (E2EE) messaging platform for the time being. The hack has also sparked a furious dialog regarding the state of US telecom security and increased regulation, with the FCC essentially giving telecoms an ultimatum to fix their security issues or pay the price.

In the wake of news that Salt Typhoon compromised the ninth carrier, Verizon and AT&T delivered some good news. Both carriers have issued statements that they have successfully evicted Salt Typhoon from their networks.

“Immediately upon learning of this incident, Verizon took several key actions to protect its customers and its network, including partnering with federal law enforcement and national security agencies, industry partners, and private cybersecurity firms,” Vandana Venkatesh, Verizon’s chief general officer, said in a statement to TechCrunch. “After considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident.”

“We detect no activity by nation-state actors in our networks at this time,” AT&T said in a statement to Fortune. “Based on our current investigation of this attack, the People’s Republic of China targeted a small number of individuals of foreign intelligence interest. In the relatively few instances in which an individual’s information was impacted, we have complied with our notification obligations in cooperation with law enforcement.”

Hopefully the remaining seven telecoms are able to secure their networks soon.

According to a report from security Mandiant, the issue stems from the application using static key values.

The Acclaim USAHERDS web application 7.4.0.1 and Earlier, builds prior to November 2021, used static ValidationKey and DecryptionKey values.

Mandiant says the exploitability is low, given that the key “values would need to be obtained via a separate vulnerability or other channel.” Nonetheless, if the key values are discovered, a bad actor could use them to execute code on the compromised server.

These keys are used to provide security for the application ViewState. A threat actor with knowledge of these keys can trick the application server into deserializing maliciously crafted ViewState data. A threat actor with knowledge of the validationKey and decryptionKey for a web application can construct a malicious ViewState that passes the MAC check and will be deserialized by the server. This deserialization can result in the execution of code on the server.

Despite its low exploitability, CISA says the vulnerability is being actively exploited, leading to its inclusion in the Catalog.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Organizations should apply the necessary patches and mitigations as soon as possible.

Beijing-backed hacking group Salt Typhoon has managed to orchestrate the “worst telecom hack in” US history, with lawmakers and law enforcement sounding the alarm.

“My hair’s on fire,” said Senator Mark R. Warner, chairman of the Senate Intelligence Committee. He went to say “the American people need to know” the gravity of the situation.

“This is an ongoing effort by China to infiltrate telecom systems around the world, to exfiltrate huge amounts of data,” he added.

Senator Warner’s warning that the attack was ongoing has proved to be true. According to AP News, Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, told reporters that Salt Typhoon has managed to compromise a ninth telecom.

US Response to Salt Typhoon

The US has been scrambling to address the hack, although with only limited success to date. The FCC has been exploring new regulations aimed at forcing telecoms to implement stronger security measures.

“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks,” FCC Chair Jessica Rosenworcel said.

Similarly, Brendan Carr—President-elect Donald Trump’s nominee to lead the FCC under the new administration—minced no words about the lapses in security that allowed Salt Typhoon’s hack.

“The Salt Typhoon intrusion is a serious and unacceptable risk to our national security,” Carr wrote on X. “It should never have happened. I will be working with national security agencies through the transition and next year in an effort to root out the threat and secure our networks.”

The FBI and CISA have advised that all individuals rely on secure, end-to-end encrypted (E2EE) messaging platforms, such as Signal and WhatsApp. Although iMessage is E2EE, as is RCS messaging on Android, cross-platform communication between Android and iOS is not secure unless a third-party platform like Signal and WhatsApp is used.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” said Jeff Greene, an executive assistant director for cybersecurity at CISA.

Given today’s revelation of Salt Typhoon’s ongoing success, users would do well to follow the FBI and CISA’s advice.

Judge Phyllis Hamilton, of the U.S. District Court of the Northern District of California has issued a landmark summary judgment, in which the court found that Israeli firm NSO group was liable for damages in its hack of WhatsApp.

Background

The case dates back to 2019, when WhatsApp revealed that NSO Group had exploited a vulnerability in its messaging app that allowed it to install its Pegasus spyware onto target devices. The software could be installed remotely via a phone call—whether the call was answered or not.

From there, NSO Group continued to refine Pegasus, improving its abilities to the point that phones could be compromised with absolutely no user interaction, making the software one of the most successful spyware packages in history.

Because of NSO Group’s success compromising both Android and iOS devices, Pegasus quickly became very sought after, especially among regimes that wanted to crack down on dissent and monitor political adversaries. Many of the targeted devices and accounts belongs to journalists, activists, and government officials.

WhatsApp framed the case in the context of the Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), as well as WhatsApp’s own terms of service. NSO Group resorted to a rather novel defense, claiming that it was entitled to sovereign immunity, since its actions were taken in behalf of foreign governments. The Biden administration urged the US Supreme Court to deny the defense, as the US State department has never given sovereign immunity to a private company. SCOTUS agreed, shooting down NSO Group’s defense and allowing the trial to proceed.

Judge Hamilton Calls Out NSO Group’s Obstruction

Judge Hamilton called out the Israeli firm for its lack of transparency, as the company produced remarkably few documents in response to discovery orders.

Overall, the court concludes that defendants have repeatedly failed to produce relevant discovery and failed to obey court orders regarding such discovery. Most significant is the Pegasus source code, and defendants’ position that their production obligations were limited to only the code on the AWS server is a position that the court cannot see as reasonable given the history and context of the case. Moreover, defendants’ limitation of its production such that it is viewable only by Israeli citizens present in Israel is simply impracticable for a lawsuit that is to be litigated in this district.

CFAA Claims

Judge Hamilton found that NSO Group violated the CFAA.

Thus, the court GRANTS summary judgment in plaintiffs’ favor on the CFAA claim under both section (a)(2) and (a)(4), on the theory that defendants exceeded their authorization. Defendants appear to fully acknowledge that the WIS sent messages through Whatsapp servers that caused Pegasus to be installed on target users’ devices, and that the WIS was then able to obtain protected information by having it sent from the target users, through the Whatapp servers, and back to the WIS. Defendants’ only arguments go to statutory interpretation (addressed above), and their delegation of Pegasus operation to their clients (addressed by § 1030(b)). The court need not address plaintiffs’ alternative argument, that defendants acted without authorization.

CDAFA Claims

Similarly, Judge Hamilton found in favor of WhatApp’s CDAFA argument, in no small part due to NSO Group not producing the source code it was ordered to, making it impossible to determine if Pegasus actively violated the CDAFA by targeting accounts within the state.

The CDAFA is the state-law equivalent of the CFAA, with the additional requirement that a computer be unlawfully accessed in California. See, e.g., Meta Platforms, Inc. v. BrandTotal Ltd., 605 F.Supp.3d 1218, 1260 (N.D. Cal. 2022). In the court’s view, plaintiffs’ evidence regarding California relay servers is sufficient, even without more, and to the extent the statute requires an intent to target a California server, the outcome is the same as it was with respect to the jurisdictional analysis – because defendants’ failure to produce Pegasus source code is at least one reason why there is no evidence of exactly how the WIS chose servers, an evidentiary sanction is appropriate to conclude that the WIS did indeed target California servers. Thus, the court concludes that summary judgment must be GRANTED on the CDAFA claim for the same reasons as the CFAA claim.

Breach of Contract Claims

Judge Hamilton found NSO Group violated WhatsApp’s terms of service, dismissing the Israeli firm’s arguments and issuing a summary judgment for damages.

The court finds no merit in the arguments raised by defendants. Defendants do not dispute that they must have reverse-engineered and/or decompiled the Whatsapp software in order to develop the WIS, but simply raise the possibility that they did so before agreeing to the terms of service. However, as discussed above, defendants have withheld evidence regarding their agreement to the terms of service. Moreover, common sense dictates that defendants must have first gained access to the Whatsapp software before reverse-engineering and/or decompiling it, and they offer no plausible explanation for how they could have gained access to the software without agreeing to the terms of service. Accordingly, the court concludes that plaintiffs have sufficiently established breach.

Finally, as to damages, defendants do not dispute that plaintiffs incurred costs investigating and remediating defendants’ breaches, which are sufficient to establish the fourth and final element of a breach of contract claim. Accordingly, the court GRANTS summary judgment on plaintiffs’ claim for breach of contract.

Because the court has issued a sumamry judgment that ” resolves all issues regarding liability, a trial will proceed only on the issue of damages.”

The Implications of WhatsApp’s Win

WhatsApp’s win is a major victory for privacy, regardless of whether they use WhatsApp or not. Judge Hamilton’s decision sends a clear message to surveillance and spyware companies and reaffirms users’ reasonable expectation of privacy.

The decision was lauded by WhatsApp head Will Cathcart in an X post.

Hopefully Judge Hamilton’s decision will set a precedent that will make it more difficult for other surveillance and spyware companies to stay in business.

Microsoft is in the midst of a high-profile attempt to improve cybersecurity across its platforms, following a series of costly and embarrassing security failures. One of its endeavors is convincing users to adopt passkeys instead of passwords. Passkeys do away with the need for passwords by relying on a phone or other physical device to authenticate a user, or by using biometrics, such as a fingerprint or face scan.

Sangeeta Ranjit, Microsoft Group Product Manager, and Scott Bingham, Principal Product Manager, penned a blog post highlighting the company’s progress convincing users to switch to passkeys. The two executives begin by highlighting the cybersecurity challenges the company faces, and why passkeys are important.

At Microsoft, we block 7,000 attacks on passwords per second—almost double from a year ago. At the same time, we’ve seen adversary-in-the-middle phishing attacks increase by 146% year over year.1 Fortunately, we’ve never had a better solution to these pervasive attacks: passkeys.

Passkeys not only offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN, but they also aren’t susceptible to the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten passwords and one-time codes and reduce support calls.

The executives say the company worked hard to get passkey adoption right, start small, experimenting to find the right path forward, and then ‘scaling like crazy.’ The pair say the results have been impressive, with passkeys greatly improving the authentication experience for most users.

To make sure we got our passkey experience right, we adopted a simple methodology: Start small, experiment, then scale like crazy. The results have been encouraging:

• Signing in with a passkey is three times faster than using a traditional password and eight times faster than a password and traditional multifactor authentication.
• Users are three times more successful signing in with passkeys than with passwords (98% versus 32%).
• 99% of users who start the passkey registration flow complete it.

The blog post makes clear that Microsoft is intent on pushing users toward passkeys, furthering the demise of traditional passwords.

As we began to understand where and when to invite users to enroll passkeys, we also explored “how.” We ran multiple user studies and tested every pixel in our nudge screen to answer the question, “What would motivate a user to stop what they’re doing and enroll a passkey?”

First, we wanted to understand which value proposition would resonate most. Surprisingly, an easier sign in didn’t resonate with users as strongly as a faster or more secure sign in. Perhaps less surprising was discovering that security and speed resonated almost equally. Approximately 24% of users shown a message emphasizing security clicked through while approximately 27% of users shown messaging about speed clicked through.

If a user sees a nudge and chooses to enroll a passkey, great! But, if they see the nudge and decide that now isn’t the right time, we wanted to frame their decision in a positive way. The button text, “Skip for now,” respects that the user isn’t ready to enroll a passkey yet and lets them continue with what they were doing, but it also sets the expectation that we’re going to ask again. We’re implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don’t let them permanently opt out of passkey invitations. We want users to get comfortable with the idea that passkeys will be the new normal.

The exciting results of our experiments are helping us craft the best experience possible for our users, and we’re continuing to evolve. We encourage you to run your own experiments as well. Your products and users are different from ours and you might discover different outcomes. However, if you’re looking for a good place to start, messaging about speed and security is probably a safe bet. We also encourage you to reference the fantastic research that the FIDO Alliance has done, along with the UX guidelines they’ve published.

Microsoft is clearly intent on transitioning all of its users to passkeys. While some users may be hesitant to make the switch, the company is right that passkeys are far more secure, while also offering some convenience benefits.

Additionally, cybercrime is projected to cost the global economy $10.5 trillion by 2025. This highlights the escalating sophistication and frequency of attacks, from phishing schemes to ransomware exploits, many of which rely on manipulating unsuspecting employees. After all, even the most advanced cybersecurity tools are only as effective as their users.

The human element can often be the weakest link or the strongest asset in cybersecurity. To improve an organization’s security posture, employees should play a proactive part in safeguarding digital infrastructures. Such an approach to the “human firewall” involves implementing targeted training and fostering a culture of cyber awareness, so that businesses can turn their workforce into a critical line of defense against cyberattacks. 

Organizations must adopt a multifaceted approach that combines technological safeguards with human vigilance to stay ahead of these evolving threats.

1. Invest in Comprehensive Cybersecurity Training Programs

Employee training is foundational to creating a human firewall. Traditional IT systems cannot defend against nuanced attacks like phishing or social engineering without an informed workforce. Studies show that phishing simulations reduce successful phishing attempts. However, this should be combined with lesson-based learning, real-world case studies, and role-specific scenario reviews. 

Ensure your program is dynamic, adjusting for emerging threats and leveraging gamification to maintain engagement, using mechanisms such as leaderboards and simulated attack survival badges.

2. Foster a Cybersecurity-First Culture

A robust human firewall stems from a culture that prioritizes security. Businesses must embed cybersecurity practices into their operations, reinforcing vigilance as a shared responsibility. Leaders should set examples by following best practices like multi-factor authentication and secure device handling. 

According to PwC’s 2023 Global Digital Trust Insights, organizations with strong security cultures were 60% less likely to suffer data breaches than those without. This reinforces the need for a company-wide commitment to cyber hygiene.

3. Implement Clear Policies for Threat Reporting

Many cybersecurity incidents escalate because employees fail to report suspicious activities promptly. This could be due to fear of the potential repercussions or simply because they could not identify such issues. Establishing clear, non-punitive reporting channels ensures rapid response and mitigation. 

The “Cost of a Data Breach Report” from the Ponemon Institute reports that organizations with an incident response (IR) team and a tested incident response plan reduced the average cost of a data breach by $2.66 million compared to those that did not implement these measures. Make sure employees understand how to identify and escalate potential threats. These can include anomalous email attachments and unexpected login alerts, among others.

4. Leverage Technology to Augment Human Vigilance

While the human firewall focuses on people, technology should act as a critical support system. Tools like endpoint detection, behavioral analytics, and AI-powered email filtering reduce exposure to risks. AI-backed security systems can preemptively flag phishing emails or unusual login patterns, enabling employees to focus on discerning genuine threats. 

Gartner predicts that by 2026, enterprises combining GenAI with an integrated platforms-based architecture in security behavior and culture programs will experience 40% fewer employee-driven cybersecurity incidents.

5. Address Specific Weak Points with Tailored Approaches

Not all employees face the same cybersecurity risks. For example, finance teams are more likely to encounter spear-phishing attempts, while IT staff may be targeted with malware-laden technical documents. Tailoring training and safeguards to role-specific vulnerabilities can significantly boost effectiveness. For example, finance teams can receive training on recognizing fraudulent invoices, while training in the C-Suite can involve recognizing targeted high-level phishing. 

ISACA’s “State of Cybersecurity” report highlights that 55% of organizations identify soft skills like effective communication as a significant gap among cybersecurity professionals, underscoring the importance of targeted training in these areas.

6. Conduct Regular Security Audits and Simulations

Testing your human firewall is as important as building it. Conduct regular internal audits to identify weaknesses in both technological and human systems. This should include a systematic examination of your organization’s information security controls to determine their effectiveness in protecting data. 

Meanwhile, simulations, such as mock phishing campaigns or breach drills, can help reinforce soft skills within the organization while identifying gaps. 

7. Reward Vigilance to Reinforce Positive Behavior

Acknowledging employees who actively contribute to cybersecurity reinforces a security-first mindset. Consider implementing rewards for identifying phishing emails, reporting suspicious activity, or adhering to security protocols. Behavioral psychologists argue that positive reinforcement is one of the most effective ways to encourage desired actions. 

A survey by NectarHR found that 83.6% of employees feel that recognition affects their motivation to succeed at work. This suggests that recognizing employees for reporting phishing attempts or adhering to protocols can drive better engagement in security initiatives. 

8. Collaborate Across Departments for a Holistic Approach to Security

Cybersecurity is no longer the sole responsibility of IT departments. Cross-departmental collaboration ensures broader coverage and a more integrated approach. For instance, HR can assist in onboarding employees with cyber awareness, while marketing can ensure external communications do not expose sensitive information. 

This results in a shift in security posture from reactive to proactive. This exchange of ideas fosters innovation, enabling the creation of solutions that are not only effective but also resilient and adaptable to future threats.

The Takeaway

Cybersecurity now requires a holistic approach that goes beyond firewalls and anti-malware software alone. It is about empowering the people behind the systems to be proactive participants in defense. A human firewall represents the synergy between education, technology, and culture, which is a combination that significantly reduces vulnerability to cyber threats.

By prioritizing employee engagement and training, businesses can ensure long-term resilience against evolving threats. Remember, cybersecurity is a continuous journey requiring adaptability and vigilance. By involving your entire workforce, you transform a potential vulnerability into one of your greatest strengths.

With this deal, Cohesity has solidified its position as the world’s largest data protection software provider by market share, an achievement that promises to reshape the competitive landscape of the $40+ billion data protection market.

New Chat: Cohesity Becomes the World’s Largest Data Protection Powerhouse:

Scaling New Heights in Data Protection

The acquisition catapults Cohesity into an elite class of technology firms. The combined entity now serves over 12,000 customers, including 85% of the Fortune 100 and nearly 70% of the Global 500, protecting hundreds of exabytes of data worldwide. According to Cohesity’s recent announcement, the merger has positioned the company as the fastest in the sector to exceed $1.5 billion in annual revenue.

“This is a major milestone in our 11-year history,” Poonen told CNBC’s Closing Bell Overtime. “By combining Cohesity’s scale-out architecture and AI-driven security with Veritas’ extensive global footprint, we’re delivering unparalleled value to our customers.”

The transaction was funded by a Series H investment round led by Haveli Investments, alongside a Term Loan B facility arranged by JP Morgan. The deal values the combined entity at over $7 billion.

Driving Innovation Through AI and Security

The acquisition brings together Cohesity’s expertise in generative AI and zero-trust security principles with Veritas’ proven capabilities in enterprise data protection. This fusion aims to tackle critical challenges in data resilience and cyber threats, an area of increasing urgency as organizations integrate AI into their operations.

“As companies adopt generative AI, data security becomes even more critical,” Poonen noted. “Our focus is to secure the ‘secondary data’—the vast historical time-series data that’s particularly vulnerable to cyberattacks.”

NVIDIA CEO Jensen Huang echoed this sentiment, stating, “Cohesity is backing up and protecting the world’s data—a goldmine of business value that customers can unlock with generative AI.” NVIDIA, a key partner in Cohesity’s AI endeavors, is integrating its AI Enterprise platform with Cohesity’s solutions to enhance data insights and protection.

Commitment to Customers and Partners

Cohesity has emphasized its commitment to a “no customer left behind” strategy, ensuring that existing customers from both Cohesity and Veritas will continue to receive support for their products. This includes Veritas’ flagship NetBackup and NetBackup appliances, as well as Cohesity’s robust cloud-native data management tools.

“Our customers will benefit from the most comprehensive multicloud data protection portfolio in the industry,” said Poonen. “This includes everything from backup and recovery to advanced AI-driven insights.”

The integration also expands Cohesity’s global footprint, with a 24/7 customer success organization and one of the industry’s largest partner ecosystems. This includes collaborations with cloud service providers, VARs, MSPs, and technology partners, creating a robust network to deliver end-to-end data protection solutions.

Strategic Vision and Market Impact

Industry analysts have hailed the acquisition as a pivotal moment for the sector.

“This is the largest deal in the data protection space to date,” said Daniel Newman, CEO of The Futurum Group. “Cohesity now sits at the intersection of multi-cloud, security, and AI. With a TAM of over $40 billion, the company is poised for exponential growth.”

Newman added that the combination of Cohesity’s cutting-edge technology and Veritas’ legacy strength creates a compelling value proposition for global CIOs. “This is about more than just protecting data; it’s about turning it into a competitive advantage.”

Execution and Challenges Ahead

While the acquisition positions Cohesity as an industry leader, the integration presents significant challenges. Competitors, including Rubrik and Commvault, have been quick to point out potential distractions stemming from the merger.

“Our strategy is to stay number one by delivering unparalleled product innovation and customer obsession,” Poonen responded. “We’re humbled and hungry, and we’re ready to execute at scale.”

Poonen also outlined a clear roadmap for the integration, including plans to engage directly with the top 1,000 Veritas customers within 100 days. “This is about showing our commitment and building trust from day one,” he said.

As Cohesity charts its post-acquisition future, the company is eyeing an IPO as a potential next step.

“We’ve had significant investor interest,” Poonen said. “While our immediate focus is on seamless integration and customer success, an IPO remains an important milestone for our growth trajectory.”

The combination of Cohesity and Veritas represents not just a consolidation of capabilities but a redefinition of what’s possible in data protection and management. With an ambitious vision and a commitment to innovation, Cohesity is set to shape the future of how the world’s data is protected and leveraged.

As the dust settles on this historic deal, all eyes will be on Cohesity to see how it delivers on its promise to revolutionize the industry. The stakes are high, but so are the rewards for a company aiming to redefine the boundaries of data security and insights.

In the wake of the “Salt Typhoon” hack—arguably the most severe breach in U.S. telecom history—the agency is demanding immediate action. The message is clear: fix your vulnerabilities or face steep fines and potential criminal charges.

This development is a direct response to revelations about a Beijing-linked hacking group infiltrating major U.S. telecom networks. These cyber intruders reportedly siphoned sensitive data, potentially exposing private communications for years and leaving national security on shaky ground.

As we’ve been following here at WebProNews, the fallout from the “Salt Typhoon” hack is monumental. By exploiting vulnerabilities in network infrastructure, hackers gained access to highly sensitive data and may have even eavesdropped on personal calls and messages. The breach has left both consumers and national security experts asking a pointed question: how did this happen?

The FCC Strikes Back

FCC Chairwoman Jessica Rosenworcel has taken a firm stance, making it crystal clear that telecom companies are now on notice. “While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks,” Rosenworcel said in an exclusive statement to The Washington Post.

That accountability could be costly. Alongside steep fines, Rosenworcel hinted at criminal charges for executives who neglect cybersecurity protocols. While such drastic measures may seem extreme, the stakes couldn’t be higher.

FCC Commissioner Brendan Carr echoed the urgency. In a blunt post on X (formerly Twitter), Carr declared: “The Salt Typhoon intrusion is a serious and unacceptable risk to our national security. It should never have happened. I will be working with national security agencies through the transition and next year in an effort to root out the threat and secure our networks.”

It’s not just tough talk. Behind the scenes, the FCC is already drafting new regulations aimed at tightening security across the board. These proposals reportedly include mandatory encryption standards, multi-factor authentication protocols, and requirements for routine cybersecurity audits. Finalized rules are expected in the coming months.

The “Salt Typhoon” Effect: What It Revealed

The audacity and scale of the “Salt Typhoon” hack have sent shockwaves through the cybersecurity and telecom industries. The attack exploited unpatched vulnerabilities in network equipment—an oversight that experts say could have been avoided with proper diligence.

The breach has prompted federal agencies like the FBI and CISA to issue a rare joint advisory. Their recommendation? Ditch traditional SMS and rely on encrypted platforms like Signal and WhatsApp for secure communications. As we’ve reported previously at WebProNews, the push for encryption underscores the severity of the situation: even basic communications might not be safe.

Telecoms at a Crossroads

For telecom companies, the path forward is clear but not easy. They’ll need to invest heavily in cybersecurity to prevent future breaches. Here are the FCC’s likely must-haves for telecom providers:

• Encryption Everywhere: Encrypting data in transit and at rest is non-negotiable. Without it, companies remain sitting ducks for cybercriminals.
• Stronger Access Controls: The industry needs to standardize multi-factor authentication for accessing sensitive systems. Passwords alone won’t cut it anymore.
• Frequent Security Audits: Identifying vulnerabilities before attackers do is critical. Regular third-party audits are no longer optional.
• Invest in Threat Intelligence: Staying ahead of hackers means monitoring the latest tactics and tools in the cybersecurity playbook.
• Partnering with the Government: Sharing insights and working closely with agencies like CISA can make the entire ecosystem more secure.

Why This Matters

The “Salt Typhoon” hack isn’t just a story about cybersecurity—it’s a case study in the interconnectedness of modern infrastructure. If telecom networks can be breached, so too can the critical systems they underpin. From banking to emergency services, a compromised telecom system puts nearly every facet of society at risk.

For individuals, the implications are equally dire. Beyond the potential exposure of personal messages, there’s the looming question of whether privacy in a digital age is even possible.

What’s Next?

The coming months will be pivotal. If the FCC’s new regulations are as comprehensive as expected, they could serve as a global benchmark for telecom security. But regulations alone won’t solve the problem. Companies need to embrace a cultural shift—one that prioritizes security over convenience and profits.

And for consumers? The best course of action is vigilance. Stay informed, opt for encrypted communication platforms, and demand accountability from your service providers.

As always, we’ll be watching this story closely at WebProNews. The FCC has thrown down the gauntlet, and the telecom industry’s response will determine whether the lessons of “Salt Typhoon” lead to a more secure future—or simply more headlines.

China perpetrated the “worst telecom hack” in US history, an operation carried about by a group called Salt Typhoon. The group hacked some of the nation’s biggest providers, including both Verizon and AT&T, to surveill persons of interest. To date, much of the surveillance has been centered around the D.C. area, but there’s no limit to who the group could surveil, among the impacted telecom customers. While security experts and law enforcement have been working to oust Salt Typhoon from the telecoms, the efforts have had mixed success.

According to NBC News, an unnamed senior FBI official and Jeff Greene, an executive assistant director for cybersecurity at CISA, is warning that consumers should rely on encrypted communication methods to ensure China cannot listen in on conversations or read texts.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Greene said.

What This Means for iOS/Android Communication

Unfortunately, the FBI and CISA’s recommendation to use encrypted communication means that Apple and Android users should not rely on the new RCS messaging when communicating with each other.

RCS is the successor to basic SMS text messaging and supports end-to-end encryption (E2EE)—but only when communicating with other Android users. While Apple has implemented RCS in the latest version of iOS, giving cross-platform users read receipts, high-definition media, and better group admin, E2EE does not work when communicating between Android and iOS. While Apple and Google are working to implement E2EE, it’s not yet available, and there’s no concrete date for when it will be.

As a result, until cross-platform RCS provides the needed security, or until Salt Typhoon is successfully ousted from telecoms, Signal or WhatsApp are far better options for cross-platform communication. Importantly, both options provide text and voice capabilities.

The Irony of the FBI Recommending Encryption

It should also be noted that there is a tremendous amount of irony in the FBI recommending users rely on E2EE.

The FBI has traditionally argued against E2EE, saying it makes it harder for law enforcement to do its job and catch criminals. The agency has argued that companies should build backdoors into E2EE platforms so law enforcement can access encrypted communications when they want/need to.

In contrast, privacy and security experts have long maintained that E2EE is a vital part of modern communications, and that banning it or forcing backdoors would be detrimental to all users, including law-abiding ones. Without E2EE, government officials, journalists, activists, and countless others would be vulnerable to their communication being read by others. What’s more, there is simply no way to implement a backdoor into encryption for the “good guys” without a significant risk of the “bad guys” finding and abusing it.

Ultimately, the FBI endorsing E2EE communication methods to prevent Chinese hackers from accessing user communications, is the single biggest argument why E2EE should never be weakened, backdoored, or abandoned.

Conclusion

In the meantime, users should take the FBI and CISA warning seriously and switch to Signal or WhatsApp until the Salt Typhoon situation is resolved.

Beyond Salt Typhoon, the current situation underscores why encrypted communication methods should be the default for all users in all situations. The argument that “I’m not doing anything wrong, so I don’t have anything to hide” is not a valid reason to not take basic precautions.

All users—including law-abiding ones—should rely on E2EE communication methods. Unfortunately, for Android and Apple users, that means avoiding RCS until the two companies deliver on their promise to secure cross-platform chats with E2EE.

According to BleepingComputer, Zello has sent a notification to users telling them they need to reset their passwords if they created their account prior to November 2nd, 2024. The notification doesn’t give any additional detail, other than to say the user should change their password on any online service on which they use the same password as on Zello.

Below is a copy of the notification users are receiving:

“Zello Security Notice – As a precaution, we are asking that you reset your Zelle app password for any account created before November 2nd, 2024,” reads the warning.

“We also recommend that you change your passwords for any other online services where you may have used the same password.”

While the company is not explicitly saying their systems were breached, but the fact that Zello is recommending users change their password on any service using the same password is a good indication that’s exactly what happened, or this is a case of credential stuffing at the least.

As BleepingComputer highlights, Zello suffered a previous data breach in 2020, so a breach of the company’s systems would not be unheard of.

In an interview with Yahoo’s Opening Bid podcast, Newmark likened the current state of the cybersecurity industry to WWII, when everyone was expected to help the US war effort.

“The deal is our country is under attack now,” he told Yahoo Finance executive editor Brian Sozzi. “It’s not like I’m in the recruiting line after Pearl Harbor because my dad volunteered in the ’40s, but I guess that’s what I should be doing.”

The tech icon has already invested $100 million via his Craig Newmark Philanthropies, but has committed an additional $200 million.

“I tell people, ‘Hey, the people who protect us could use some help. The amounts of money comparatively are small, so why not help out,’” he added.

Newmark’s philanthropy website outlined his goals.

He’s committed $100 million to form a Cyber Civil Defense network of groups who are starting to protect the country from cyber threats. Attacks on our power grids, our cyber infrastructure and even the internet-connected gadgets and appliances in our homes are real. If people think that’s alarmist, tell them to “Blame Craig.”

The core of Cyber Civil Defense includes groups like Aspen Digital, Global Cyber Alliance, and Consumer Reports, focusing on citizen cyber education and literacy, cyber tool development, and cybersecurity workforce programs aimed at diversifying the growing field.

The effort, launched in 2022, has already made significant investments in Black Girls Hack, Girls Who Code, the Girl Scouts, VetsinTech, the Consortium of Cyberclinics, the Ransomware Task Force, and Shadowserver.

Newmark’s investments underscore the ongoing threats surrounding cybersecurity, and the issues companies face funding proper cybersecurity defense.

According to multiple reports, the Chinese government sponsored a hacking campaign—carried out by a group called Salt Typhoon—in a successful attempt to compromise US telecom companies and use that access to spy on high-value targets.

Senator Mark R. Warner, chairman of the Senate Intelligence Committee, minced no words in describing how bad the hack was, saying it is the “worst telecom hack in our nation’s history — by far,” according to The Washington Post.

“My hair’s on fire,” Warner said. He went to say “the American people need to know” the gravity of the situation.

“This is an ongoing effort by China to infiltrate telecom systems around the world, to exfiltrate huge amounts of data,” he added.

In a joint statement, the FBI and CISA addressed the hack, saying the number of known compromised accounts remains low, but is likely to increase as the investigation continues.

The U.S. government’s continued investigation into the People’s Republic of China (PRC) targeting of commercial telecommunications infrastructure has revealed a broad and significant cyber espionage campaign.

Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) continue to render technical assistance, rapidly share information to assist other potential victims, and work to strengthen cyber defenses across the commercial communications sector. We encourage any organization that believes it might be a victim to engage its local FBI Field Office or CISA.

The Post says that most of the impacted accounts are centered in the D.C. area, with the hack clearly targeting government officials. As the FBI and CISA point out, however, the full extent of the operation is likely much larger and will only become apparent with more investigation.