The majority of the allegations directed at the CTI League are insinuations that are simply not supported by any real facts. Proof requires depth and investigation beyond the surface. Bold claims call for strong evidence, and what has been presented does not withstand scrutiny. For example, the CTI League had no relationship with Stanford or the Election integrity Project. There was no communication between the CTI League and those organizations.
The league was focused on the defense of healthcare alone. Non healthcare related topics such as the election were stated as being out of scope. It did not undertake any form of censorship, nor did its participants have the ability to do so.
Despite the efforts of thousands of volunteers in many similar organizations healthcare was impacted. However I can say with absolute certainty that due to the efforts of these volunteers many incidents were prevented and many lives were saved.
Impact of Cybersecurity incidents during the pandemic on healthcare.
A deeper look into cybersecurity issues in the wake of Covid-19: A survey
Allegation that the CTI League engaged in Censorship.
The CTI League’s mission was to protect healthcare infrastructure, first responders, clinics, and ultimately, ordinary people. The pandemic led to an unprecedented rise in cyber attacks. It’s been identified by many as the largest cybersecurity event in history.
The volunteers in the CTI league are private citizens with no special authorities. They have no power to remove content, no power to censor information, and no power to direct the government. The most that a volunteer can do is fill out an abuse form, such as the community standards forms on Facebook.
The CTI league only created its disinformation team at the request of hospitals. Hospitals who, stretched to their limits, were unable to deal with the flood of misinformation, fraudulent schemes, and malware disguised as legitimate messages from impersonated institutions.
Allegation that the CTI League was a smokescreen for a purely disinformation focused effort.
The Disinformation team is one out of more than 30 different teams in the league. It has the smallest membership (400, with only 150 active) compared to the technical teams such as the medical infrastructure vulnerability team (1200 with over 900 active).
Allegation that billion dollar hospitals don’t need the support of volunteers.
It should not come as a surprise but many (but not all) organizations are not resourced to defend against sophisticated cyber attacks – especially those in the health sector, many of which operate as non-profit entities. Ransomware now hits more than two major hospitals every week. Businesses hit multiple times by ransomware are frequently forced to close their doors. The idea that ordinary citizens whose profession it is to defend against these very attacks can make a difference is far from a laughing matter.
Private sector individuals and entities were responsible for generating the bulk of pre-ransomware notifications passed to agencies like CISA for action in the last 3 years. Private sector individuals identified, tracked and then cooperated with the FBI to resolve the attacks launched by hostile foreign actors during the “HAFNIUM” incident. Private sector individuals have been quietly supporting or empowering almost every major cybersecurity criminal disruption in recent years.
The USA has no cyber 9-1-1 service. Ultimately it is up to citizens to defend this country. This willingness to volunteer to defend our freedoms has always been the American way.
Allegation that the CTI Leagues efforts were duplicative of free or paid services available to these hospitals.
In some cases, this is absolutely true. However, there is a very real problem in our country that we know as the “cybersecurity poverty line”. Many businesses, especially those in the health sector, cannot afford to pay for extra cybersecurity services – nor the labor to take advantage of free ones. When a crisis hits, this only gets worse. Free services supported by skilled volunteers have been and continue to be a lifeline for many organizations.
It also completely misses the fact that the volunteers in the CTI League came from all over the industry, in fact from all over the world. This aggregation of knowledge and skill meant that we were able to achieve incredible things – we identified more than 2000 vulnerabilities each month. We disrupted hostile campaigns targeting major institutions. A huge part of our task however was informing vulnerable organizations and then supporting them in fixing the flaws before they got attacked.
Lastly, we had to deal with organizations under attack. When your house is on fire, every extra skilled hand with a bucket can be the difference between saving it, or watching it burn down. Cybersecurity incidents are no different.
Allegation that the CTI League was created, shaped or at all guided by government entities:
The league was created on the 14th of March 2020 by cybersecurity volunteers with no government affiliations. All the founders were – and still are – employed by private sector companies. This is a fact that can be confirmed by looking at public sources such as LinkedIn and many independent articles in the press.
The CTI League was founded by
- Ohad Zaidenberg, who was working as the lead security researcher for ClearSky Cyber Security. Ohad is not, and has never been an Israeli Intelligence officer. The original allegations can be traced back to an antisemitic source that offered no corroborating evidence to support these outrageous allegations.
- Marc Rogers, who was working as a cybersecurity executive for the Okta. Marc has been a hacker his whole career, and the evidence of his work can be seen in his published research or work TV shows such as MR Robot. He is also not a spy.
- Nate Warfield who was working as a senior security program manager for Microsoft’s MSRC.
- Chris Mills who was working as a senior privacy program manager for Microsoft
Initially the entire membership of the league was cybersecurity professionals. Members of law enforcement and government agencies such as CISA were only invited several weeks later around the end of March. They joined primarily because the league had become a hub of activity that they wished to partner with. The bulk of our work was on malware analysis, vulnerability identification and victim notification. At the same time, the CTI league partnered with many health organizations such as The World Health Organization, The H-ISAC and HHS.
Partnership with these organizations was critical for success, they are the organizations tasked with protecting the health sector on the ground. This form of collaboration is the only way both public and private sector entities can successfully combat sophisticated cybersecurity threats.
Allegation that the CTI League was in some way controlled, shaped or influenced by US (or foreign) military persons and organizations.
All members of the CTI League were required to display their affiliations publicly for transparency and trust. This was standardized as a tag like [company] or [organization]. The purpose of this was so that the volunteers knew who they were talking to and could engage with each other appropriately.
This is standard practice for “Trust groups” like the CTI League. The presence of people affiliated to an organization in a group does not mean that organization has any influence over the group. In fact it is expected that all individuals in these groups operate on their own and that they do not speak for their organizations. Many organizations only permit this type of volunteering if their employees agree to these terms. Some organizations enforce this in their employment contracts.
Summary
The CTI League is a multinational volunteer cybersecurity collective started by volunteers and run on a purely volunteer basis. It was created in March 2020 with a single mission – to defend the global health system and its front line workers sacrificing so much to keep it functioning from the anticipated surge in cybersecurity threats during the pandemic – a surge that has been repeated historically after every major global incident. Despite the best efforts of the CTI League and other related organizations, incidents happened, and lives were regrettably lost.
Since the end of the pandemic the CTI League has substantially reduced its operations in recent months, but continues to support efforts to protect healthcare globally. While the threat from COVID may have waned, the threats to our critical medical infrastructure are very real, and growing. The US government cannot solve this problem without the support of passionate citizens and the private sector..
Until a better solution is found it will be volunteers in initiatives like this that ultimately make the difference in defending our country from sophisticated threats.
