You are using an older browser version. Please use a supported version for the best MSN experience.

The dread, sincerity and comedy of Cybersecurity Awareness Month

The Washington Post logo The Washington Post 10/4/2022 Tim Starks, Aaron Schaffer

Welcome to The Cybersecurity 202! One thing I did this past weekend was play Dungeons & Dragons with my favorite campaign creator, Keith Baker. (This is the character I played.) You just never know what sentences you'll end up uttering in your lifetime.

Below: Officials warn of cyberthreats ahead of midterm elections, and revelations about Pegasus spyware rock Mexico. First:

For better or worse, Cybersecurity Awareness Month sparks a running commentary

Cybersecurity Awareness Month: Trick or treat? (Daniel Acker/Bloomberg News) © Daniel Acker/Bloomberg Cybersecurity Awareness Month: Trick or treat? (Daniel Acker/Bloomberg News)

Ever since 2004, October has been Cybersecurity Awareness Month, created by the Department of Homeland Security and the nonprofit, industry-sponsored National Cybersecurity Alliance to … well … promote awareness of cybersecurity.

“During Cybersecurity Awareness Month, we highlight the importance of safeguarding our Nation’s critical infrastructure from malicious cyber activity and protecting citizens and businesses from ransomware and other attacks,” reads the annual proclamation President Biden released Monday. “We also raise awareness about the simple steps Americans can take to secure their sensitive data and stay safe online.”

But not everyone is so into it.

Every year, the awareness month provokes a kaleidoscope of reactions on Twitter. Government officials push their message alongside defenders who view the event as worthwhile. Lots of reporters and cyber pros are tired of hearing about it and think it’s pointless at best. Then there’s everything in-between and a bunch outside of that, too.

My predecessor Joseph Marks did a thoughtful examination a couple years ago about the value, or lack thereof, of Cybersecurity Awareness Month. The mix of responses comes in the form of meme warfare, corporate shilling and authentic enthusiasm. This year is no exception.

The government

Rob Joyce, the director of cybersecurity for the National Security Agency, might most exemplify the push-and-pull of whether to joke about, or celebrate, the month:

He ultimately settled on a mix of both.

Most government cybersecurity officials, though, took a purely earnest approach, at least on the first workday of the month. Here’s Cybersecurity and Infrastructure Security Agency Director Jen Easterly, advocating for the agency’s message for the event (and later suggesting it shouldn’t just be one month):

National Cyber Director Chris Inglis offered a video message:

The FBI and Inglis’s new hire Camille Stewart Gloster also took the sincere approach, although Stewart Gloster promised a “fun video series” later.

'Oh no it's cybersecurity awareness month'

Some leaned fully toward making jokes on the occasion of Cybersecurity Awareness Month. 

Here's Jason Atwell of cybersecurity firm Mandiant with the “Zoolander” reference, with the comedy message of “maybe nobody's paying attention”:

Ken Westin of Cybereason wrote a homemade greeting card in the joke style of “do the opposite of what you should in cyberspace”:

Some of the silliness around Cybersecurity Awareness Month comes from a place of affection, of course. Take Confidence Staveley, founder of the Cybersafe Foundation (with … a “Hunger Games” whistle-dance?):

‘You are now aware of cybersecurity, thank you’

Cybersecurity writers and reporters are among the most biting in their commentary on Cybersecurity Awareness Month. It comes, mostly, from a place of overflowing emails from public relations firms. I personally received my first Cybersecurity Awareness Month pitch in mid-August. (Full disclosure: I've made jokes on Twitter about the holiday as recently as mid-September.)

It's a little like the general public's exasperation about holiday decorations smacking everyone in the eyeballs long before the holiday itself, which TechCrunch's Zack Whittaker seized on:

Sorry, Benjamin Freed of StateScoop, you are definitely not going to get what you're asking for this year:

Andrea Peterson of the Record would, in essence, like some of their life back:

At least public relations pros can have a sense of humor about it, too, like Anne Cutler, communications director for Keeper Security:

Not dismissive

It's not just government officials who are giving Cybersecurity Awareness Month a chance. Bryson Bort, CEO of cybersecurity company Scythe, solicited and received sincere answers on how to measure whether the event is making a difference:

The cynical running jokes on Twitter don't amuse Tracy Maleeff, a security researcher for the Krebs Stamos Group:

The overlap

Aside from the question of whether to celebrate or joke about the event, there are separate, serious issues related to October and Cybersecurity Awareness Month.

As the term “child sex abuse material” and its acronym “CSAM” have grown in use, there have been more frequent calls for people to not use that acronym for Cybersecurity Awareness Month.

Here's Merritt Baer of Amazon Web Services (Amazon founder Jeff Bezos owns The Washington Post):

October is also Domestic Violence Awareness Month, putting an extra spotlight on October for Eva Galperin, co-founder of the Coalition Against Stalkerware and director of cybersecurity for the Electronic Frontier Foundation:

Even with somber overlaps, there's still room for witty remarks from Cisco's Wendy Nather:

The keys

Officials warn about security threats ahead of midterm elections

There's just a month until midterm elections. (Robb Hill for The Washington Post) © Robb Hill/for The Washington Post There's just a month until midterm elections. (Robb Hill for The Washington Post)

Officials from the Department of Homeland Security and FBI told reporters that they’re focusing on election threats in the run-up to November midterm elections, the Wall Street Journal’s Dustin Volz reports. The elections could see a confluence of threats, including foreign hacks, disinformation campaigns, threats to election workers and malicious insiders.

It’s a “more complex threat environment than what occurred in 2020 or that we’ve ever seen because of the various components of threat,” CISA Director Jen Easterly said. 

So far, the U.S. government notably hasn’t seen foreign governments target election systems like in previous years, officials said. But they noted that they’re on alert for potential cyberattacks between now and Nov. 8. FBI agents are concerned that a foreign disinformation campaign could boost incorrect or overstated claims about election equipment being compromised, a senior FBI official said.

Hackers leak data from second-largest school district in U.S.

Los Angeles's school district has refused to pay the hackers. (Frederic J. Brown/AFP/Getty Images) © Frederic J. Brown/AFP/Getty Images Los Angeles's school district has refused to pay the hackers. (Frederic J. Brown/AFP/Getty Images)

The data released by a ransomware gang calling itself “Vice Society” appeared to include documents from the Los Angeles Unified School District’s facilities services division and W-9 tax forms, the Los Angeles Times’s Howard Blume reports. The group posted the data after the school district’s superintendent, Alberto Carvalho, told the Los Angeles Times that he wouldn’t pay a ransom or negotiate with the group. 

“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” Carvalho said in a statement Friday. That day, he told the Los Angeles Times that he didn’t think employees’ confidential information was stolen, but he was less certain about data on students. On Monday, Carvalho said at a news conference that the leaked data was “more limited than we originally anticipated,” though it did include some sensitive information, ABC7 reports.

When the ransomware attack was discovered Sept. 3, “district technicians quickly shut down all computer operations to limit the damage, and officials were able to open campuses as scheduled on the Tuesday after the holiday weekend,” Blume writes. “The shutdown and the hack resulted in a week of significant disruptions as more than 600,000 users had to reset passwords and systems were gradually screened for breaches and restored.” 

The hack came amid the busy “back-to-school” season. Dozens of schools and universities have been targeted with ransomware this year, according to researchers.

Researchers find recent Pegasus infections on Mexican activists’ phones

Mexican President Andrés Manuel López Obrador previously said his government wouldn't conduct spying operations. (Cristopher Rogel Blanquet/Getty Images) © Cristopher Rogel Blanquet/Getty Images Mexican President Andrés Manuel López Obrador previously said his government wouldn't conduct spying operations. (Cristopher Rogel Blanquet/Getty Images)

The apparent hacks with NSO Group's Pegasus spyware come despite Mexican President Andrés Manuel López Obrador promising that his government wouldn’t conduct spying, the Associated Press’s Mark Stevenson reports. López Obrador has said he was the target of government surveillance when he was an opposition leader in the country. 

“We are not involved in that,” López Obrador said when asked about Pegasus in 2019. “Here we have decided not to go after anybody. Before, when we were in the opposition, we were spied on.”

Human rights activist Raymundo Ramos was reportedly hacked with Pegasus in 2020. Two journalists were also reportedly the victims of Pegasus in the country. The hacks were confirmed by the University of Toronto’s Citizen Lab, which didn't attribute the hacks to a particular NSO client.  Mexican digital rights group R3D, which wrote a report on the hacks, concluded that the country's military was probably behind the hacks.

Journalists and human rights activists have filed a criminal complaint and asked the office of the country’s attorney general to investigate, reports Animal Político. One of the hacked journalists worked for the outlet. 

NSO Group told Reuters that it couldn’t verify the findings without seeing detailed data on the hacks. It also said it terminates contracts when it detects wrongdoing.

The report comes as pressure also ramps up in Europe for criminal investigations over Pegasus use. The European Parliament committee investigating European use of Pegasus and other spyware wants European law enforcement organization Europol to propose that European Union member countries launch criminal investigations into spyware use, according to a letter that committee chair Jeroen Lenaers wrote to Europol Executive Director Catherine De Bolle. “There is evidence of criminal acts,” Lenaers wrote.

Securing the ballot

They legitimized the myth of a stolen election — and reaped the rewards (The New York Times)

Global cyberspace

U.S.-U.K. data sharing program goes into effect (NextGov)

Pro-Russian groups are raising funds in crypto to prop up military operations and evade U.S. sanctions (CNBC)

Hill happenings

Langevin tops $1 million in Wall Street trades for 2022 despite backing a ban (WPRI)

Cyber insecurity

Millions in cryptocurrency vanished as agents watched helplessly (Bloomberg Businessweek)


  • Recorded Future holds its Predict intelligence conference today and Wednesday.
  • The Center for Strategic and International Studies hosts an event on information warfare and Ukraine on Wednesday at noon.
  • The FS-ISAC holds its FinCyber Today summit in Scottsdale, Ariz., from Oct. 10 through Oct. 12.

Secure log off

Thanks for reading. See you tomorrow.


More From The Washington Post

The Washington Post
The Washington Post
image beaconimage beaconimage beacon