Week in Review: ONCD dominates cyber, undocumented Bluetooth commands, DoJ Google breakup

Cyber Security Headlines

•

Published: Fri Mar 14 2025

Link to Thanks to our show sponsor, Vanta Do you know the status of your compliance controls right now? Like…right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time...

Summary

Cyber Security Headlines: Week in Review – Detailed Summary

Hosted by CISO Series’ David Spark with guest Nick Espinosa

Release Date: March 14, 2025
Episode Title: Week in Review: ONCD Dominates Cyber, Undocumented Bluetooth Commands, DoJ Google Breakup

1. ONCD Set to Consolidate Power in US Cybersecurity

Overview:
The episode opens with a discussion on the Office of the National Cyber Director (ONCD) gaining significant authority within the U.S. cybersecurity framework. David Spark introduces the topic, highlighting the appointment of Sean Cairncross as the new head of the ONCD, despite his lack of direct cybersecurity experience.

Key Points:

Centralization of Cyber Policy: The ONCD is poised to act as the executive branch for cybersecurity policy, potentially enhancing coordination across federal agencies.
Leadership Concerns: While centralization promises a unified cybersecurity strategy, there are apprehensions regarding Cairncross’s ability to lead effectively without a strong cybersecurity background.

Notable Quotes:

David Spark [00:46]: “…the DOJ seeks to break up a little startup called Google.”
Nick Espinosa [03:54]: “The ONCD's enhanced role could ensure that cybersecurity strategy and policy is more integrated across the board. Right. That's not a bad thing.”

Insights: Nick Espinosa emphasizes the potential benefits of centralized decision-making, such as improved coordination and a more cohesive security posture. However, he also voices concerns about the appointment of leaders without substantial cybersecurity expertise, which could impact the agency’s effectiveness in advocating for necessary cybersecurity measures.

2. Undocumented Commands Found in Bluetooth ESP32 Chips

Overview:
The podcast delves into a critical vulnerability discovered in the ESP32 microchips, widely used in billions of IoT devices. Researchers identified undocumented commands that could be exploited for malicious purposes.

Key Points:

Vulnerability Details: The undocumented commands allow for spoofing trusted devices, unauthorized data access, network pivoting, and establishing long-term persistence.
Impact on IoT Devices: With over a billion units in use, the potential risk is immense, affecting everything from home gadgets to industrial systems.

Notable Quotes:

Nick Espinosa [08:14]: “The surface area for ATT and CK to both compromise and weaponize a whole bunch of stuff… that is a lot.”
David Spark [10:33]: “…even the UK has put out some stronger requirements around IoT.”

Insights: Espinosa highlights the dual challenges of detecting such vulnerabilities and the difficulty of patching embedded microchips in widespread devices. He underscores the necessity for robust cybersecurity measures during the development process to mitigate these risks. The discussion also touches on global efforts, such as the UK’s enhanced IoT regulations, aiming to strengthen supply chain security.

3. DOJ Seeks to Break Up Google by Forcing the Sale of Chrome

Overview:
A major story discussed is the Department of Justice’s (DoJ) move to dismantle Google’s dominance by compelling the company to sell its Chrome browser, aiming to foster a more competitive market environment.

Key Points:

Antitrust Actions: The DoJ accuses Google of creating an economic monopoly, ensuring dominance in search engine markets through exclusive agreements with major smartphone manufacturers.
Market Impact: Forcing the sale of Chrome could significantly alter Google’s ecosystem, impacting how users interact with its services and paving the way for increased competition.

Notable Quotes:

Nick Espinosa [12:07]: “Google, the 800-pound gorilla in the room… they have put together exclusivity agreements… ensuring that the default is going to be Google.”
David Spark [14:42]: “Google loves even more ways to win like the Bell system did.”

Insights: Espinosa argues that breaking up Google is a positive move towards leveling the playing field, encouraging innovation, and reducing monopolistic practices. He acknowledges the temporary disruptions that may arise from such a breakup but believes the long-term benefits for market competition and cybersecurity are substantial.

4. UK Banks Ordered to Compensate Customers for Outages

Overview:
The conversation shifts to the UK’s regulatory actions against major banks and building societies due to prolonged tech outages, resulting in significant customer compensation mandates.

Key Points:

Regulatory Findings: Nine major UK banks faced over 33 days of technology outages in the past two years, excluding recent incidents with Barclays and Lloyds.
Financial Repercussions: Banks are required to compensate customers with a total of £12.5 million, highlighting the critical need for modernized banking infrastructure.

Notable Quotes:

Nick Espinosa [17:48]: “They’re incentivized to spend money… it shifts the focus to long-term infrastructure improvements and accountability.”
David Spark [09:56]: “…some stuff just can’t be upgraded… like home users, they don’t even update their stuff.”

Insights: Espinosa views this regulatory approach as a proactive measure to compel banks to invest in robust and reliable infrastructures, rather than applying short-term fixes like free credit monitoring. He believes this strategy aligns with a customer-first mentality, ensuring that critical services remain uninterrupted and secure.

5. UK Calls for Improvements to Open Source Supply Chain Security

Overview:
The UK’s Department for Science, Innovation and Technology (DSIT) issued a report addressing vulnerabilities in the open-source software supply chain, advocating for enhanced security practices.

Key Points:

Identified Weaknesses: Lack of industry-specific practices, formal processes for assessing component trustworthiness, and the dominance of large tech companies in open-source contributions.
Recommendations: Organizations should develop internal policies for evaluating open-source components, maintain software bills of materials (SBOMs), and engage actively with the open-source community.

Notable Quotes:

Nick Espinosa [21:24]: “If one country is stepping up and saying our country requires all open source everywhere that they're now going to possibly meet that standard…”
David Spark [23:39]: “S BOMs are not a cure for the open source supply chain, but they do help give you a little bit more visibility.”

Insights: Espinosa supports the UK’s recommendations, emphasizing the importance of standardization and global cooperation in securing the open-source supply chain. He highlights the role of organizations like the Open Source Security Foundation (OpenSSF) in developing best practices and underscores the necessity for comprehensive monitoring and proactive cybersecurity measures in software development.

6. China's Volt Typhoon Hackers Lurked in US Electrical Grid for 300 Days

Overview:
The final major story covers the prolonged infiltration of China’s Volt Typhoon hacker group into the US electrical grid, exposing significant vulnerabilities in critical infrastructure.

Key Points:

Prolonged Access: Volt Typhoon accessed the network of the Littleton Electric Light and Water Department in Massachusetts for over 300 days, harvesting sensitive operational technology data.
Potential Threats: The exfiltrated Geographic Information System (GIS) data could facilitate future targeted attacks on the energy grid.

Notable Quotes:

Nick Espinosa [25:25]: “Utilities like the electrical grid have traditionally been more difficult to protect than just a standard IT perimeter.”
David Spark [28:21]: “…if we've learned anything from the Russian invasion of Ukraine… cyber warfare is just a continuation.”

Insights: Espinosa underscores the critical need for enhanced security measures in operational technology (OT) environments, noting the ease with which attackers can exploit vulnerabilities in critical infrastructure. He draws parallels to previous cyber-attacks on utilities, emphasizing that cyber warfare operates alongside kinetic and economic conflicts, posing significant risks to national security.

Closing Remarks: The episode concludes with reflections on the pervasive influence of big tech companies and the importance of robust cybersecurity practices in safeguarding critical infrastructure. Hosts express optimism for ongoing regulatory and technological advancements aimed at mitigating these pervasive cyber threats.

Notable Quotes:

Nick Espinosa [31:04]: “LinkedIn. Nick Espinoza. You’ll see my mug shot there…”
David Spark [31:33]: “Here’s wishing you and yours to have a super sparkly day.”

Conclusion:
This episode of Cyber Security Headlines provides an in-depth analysis of significant cybersecurity developments, ranging from governmental restructuring and corporate antitrust actions to critical vulnerabilities in widely-used technologies and cyber espionage threats. With expert insights from Nick Espinosa and David Spark, listeners gain a comprehensive understanding of the current cybersecurity landscape and the evolving challenges within it.

For more detailed discussions and daily updates, visit CISOseries.com.

Summary

Cyber Security Headlines: Week in Review – Detailed Summary

Hosted by CISO Series’ David Spark with guest Nick Espinosa

Release Date: March 14, 2025
Episode Title: Week in Review: ONCD Dominates Cyber, Undocumented Bluetooth Commands, DoJ Google Breakup

1. ONCD Set to Consolidate Power in US Cybersecurity

Key Points:

Centralization of Cyber Policy: The ONCD is poised to act as the executive branch for cybersecurity policy, potentially enhancing coordination across federal agencies.
Leadership Concerns: While centralization promises a unified cybersecurity strategy, there are apprehensions regarding Cairncross’s ability to lead effectively without a strong cybersecurity background.

Notable Quotes:

David Spark [00:46]: “…the DOJ seeks to break up a little startup called Google.”
Nick Espinosa [03:54]: “The ONCD's enhanced role could ensure that cybersecurity strategy and policy is more integrated across the board. Right. That's not a bad thing.”

2. Undocumented Commands Found in Bluetooth ESP32 Chips

Key Points:

Vulnerability Details: The undocumented commands allow for spoofing trusted devices, unauthorized data access, network pivoting, and establishing long-term persistence.
Impact on IoT Devices: With over a billion units in use, the potential risk is immense, affecting everything from home gadgets to industrial systems.

Notable Quotes:

Nick Espinosa [08:14]: “The surface area for ATT and CK to both compromise and weaponize a whole bunch of stuff… that is a lot.”
David Spark [10:33]: “…even the UK has put out some stronger requirements around IoT.”

3. DOJ Seeks to Break Up Google by Forcing the Sale of Chrome

Key Points:

Antitrust Actions: The DoJ accuses Google of creating an economic monopoly, ensuring dominance in search engine markets through exclusive agreements with major smartphone manufacturers.
Market Impact: Forcing the sale of Chrome could significantly alter Google’s ecosystem, impacting how users interact with its services and paving the way for increased competition.

Notable Quotes:

Nick Espinosa [12:07]: “Google, the 800-pound gorilla in the room… they have put together exclusivity agreements… ensuring that the default is going to be Google.”
David Spark [14:42]: “Google loves even more ways to win like the Bell system did.”

4. UK Banks Ordered to Compensate Customers for Outages

Key Points:

Regulatory Findings: Nine major UK banks faced over 33 days of technology outages in the past two years, excluding recent incidents with Barclays and Lloyds.
Financial Repercussions: Banks are required to compensate customers with a total of £12.5 million, highlighting the critical need for modernized banking infrastructure.

Notable Quotes:

Nick Espinosa [17:48]: “They’re incentivized to spend money… it shifts the focus to long-term infrastructure improvements and accountability.”
David Spark [09:56]: “…some stuff just can’t be upgraded… like home users, they don’t even update their stuff.”

5. UK Calls for Improvements to Open Source Supply Chain Security

Key Points:

Identified Weaknesses: Lack of industry-specific practices, formal processes for assessing component trustworthiness, and the dominance of large tech companies in open-source contributions.
Recommendations: Organizations should develop internal policies for evaluating open-source components, maintain software bills of materials (SBOMs), and engage actively with the open-source community.

Notable Quotes:

Nick Espinosa [21:24]: “If one country is stepping up and saying our country requires all open source everywhere that they're now going to possibly meet that standard…”
David Spark [23:39]: “S BOMs are not a cure for the open source supply chain, but they do help give you a little bit more visibility.”

6. China's Volt Typhoon Hackers Lurked in US Electrical Grid for 300 Days

Key Points:

Prolonged Access: Volt Typhoon accessed the network of the Littleton Electric Light and Water Department in Massachusetts for over 300 days, harvesting sensitive operational technology data.
Potential Threats: The exfiltrated Geographic Information System (GIS) data could facilitate future targeted attacks on the energy grid.

Notable Quotes:

Nick Espinosa [25:25]: “Utilities like the electrical grid have traditionally been more difficult to protect than just a standard IT perimeter.”
David Spark [28:21]: “…if we've learned anything from the Russian invasion of Ukraine… cyber warfare is just a continuation.”

Notable Quotes:

Nick Espinosa [31:04]: “LinkedIn. Nick Espinoza. You’ll see my mug shot there…”
David Spark [31:33]: “Here’s wishing you and yours to have a super sparkly day.”

For more detailed discussions and daily updates, visit CISOseries.com.