CEO & Co-founder at Corridor.
Previously: Senior Technical Advisor at CISA, TechCongress in the Senate, Krebs Stamos Group, CISA, Defense Digital Service, and Stanford.
| Website | https://cablej.io |
I told Congress the story of how I got into hacking: winning the Hack the Air Force competition at 17, and helping start Stanford's bug bounty program as a freshman.
While we've made progress, we need to do more to normalize security research. I called on Congress to reform the Computer Fraud and Abuse Act by exempting good-faith security research.
New from Jen Easterly and me: as threats to our critical infrastructure increase, U.S. policymakers need to defend + strengthen the role of security research. This is personal for me, having received legal threats for good-faith security research.
We call on Congress to protect security researchers by codifying the DMCA security research exemption, exempt good-faith security research from the CFAA, and require software vendors to operate a VDP and publish CVEs.
https://www.lawfaremedia.org/article/advancing-secure-by-design-through-security-research
After two incredible years, today is my last day at CISA. Immensely grateful to have been able to drive CISA's work on Secure by Design, spurring commitments from 250 software manufacturers and publishing guidance with over a dozen int'l partners.
My exit interview: https://cyberscoop.com/jack-cable-cisa-secure-by-design-exit-interview/
It's the six-month anniversary of CISA's secure-by-design pledge. I talked to @jackhcable about how things are going and what's next: https://therecord.media/cisa-jack-cable-interview-secure-by-design-pledge-update
New details in here about participant workshops, CISA's plans for tracking progress, and version 2.0 of the pledge.
📣 Ransomwhere now has over $1 billion in payments, making it the first public ransomware payments dataset over a billion dollars.
This is compared to $30 million three years ago when Ransomwhere was launched.
Access the dataset here: http://ransomwhe.re
Read the latest research: https://arxiv.org/abs/2408.15420
Excited to share new research w/ Ian Gray and Damon McCoy, where we leverage novel heuristics to identify over $700 million in previously-unreported ransomware payments. We publish our set of payments, which when combined with the Ransomwhere dataset totals over $900 million in ransomware payments — several times larger than any existing public dataset.
Read here: https://arxiv.org/abs/2408.15420
Get the data: https://github.com/cablej/showing-the-receipts
Ransomware attacks continue to wreak havoc across the globe, with public reports of total ransomware payments topping billions of dollars annually. While the use of cryptocurrency presents an avenue to understand the tactics of ransomware actors, to date published research has been constrained by relatively limited public datasets of ransomware payments. We present novel techniques to identify ransomware payments with low false positives, classifying nearly \$700 million in previously-unreported ransomware payments. We publish the largest public dataset of over \$900 million in ransomware payments -- several times larger than any existing public dataset. We then leverage this expanded dataset to present an analysis focused on understanding the activities of ransomware groups over time. This provides unique insights into ransomware behavior and a corpus for future study of ransomware cybercriminal activity.
Extremely excited to launch CISA's Secure by Design Pledge today — where 68 of the world's leading software manufacturers are committing to demonstrating measurable progress around secure by design in seven specific areas over the next year. This is a major step forward in our efforts to increase adoption of secure by design principles.
Read our announcement: https://www.cisa.gov/news-events/news/cisa-announces-secure-design-commitments-leading-technology-providers
Today, I published in the Harvard Business Review on how business leaders of software manufacturers can prevent ransomware attacks at scale with more secure by design software.
The vast majority of ransomware attacks are enabled by a software design defect or insecure default configuration. It's up to software manufacturers to raise the tide and help secure everyone.
Read here: https://hbr.org/2024/04/preventing-ransomware-attacks-at-scale
Ransomware attacks — like the one on Change Healthcare — continue to cause major turmoil. But they are not inevitable. Software manufacturers can build products that are resilient against the most common classes of cyberattacks leveraged by ransomware gangs. This article describes what can be done and calls on customers to demand that software companies take action.
Four years ago, as a computer science student at Stanford, I wrote what felt like a simple observation: I wasn’t required to take a security class, and neither were my peers.
It’s now 2024, and we’ve made little progress in educating developers. It is long overdue for academia to reconsider their role in producing a software developer workforce that writes defective software.
Great joining @RosenzweigP on the Lawfare Podcast! Tune in for some holiday listening to hear from Lauren Zabierek, Bob Lord and me on CISA's path forward on Secure by Design.
Eric Geller
Ransomwhere
