Cybersecurity experts have long warned about the dangers of public internet in coffee shops, airports, hotel rooms and similar venues. At conferences like Black Hat, where government officials are hunting this week for new recruits, exposing the vulnerabilities of mobile devices is something of a sporting event. Some participants take glee in revealing the contents of a visitor’s phone on a big display for all to see. It is meant as a vivid reminder that hooking on to public Wi-Fi, or enabling Bluetooth connections, or even the capability to make a purchase by tapping a reader with a phone, is an invitation to have nonencrypted data seen by anyone.
And then there is the risk of being spoofed. Without citing particular incidents, the N.S.A. warning includes a caution that criminals or foreign intelligence agencies can set up open Wi-Fi systems that look as if they are from a hotel or a coffee shop, but are actually “an evil twin, to mimic the nearby expected public Wi-Fi.” (When State Department officials were negotiating the Iran nuclear accord in 2014 and 2015, many powers — from the Iranians to the Israelis — deployed such systems in hotels where the negotiations were underway, American officials warned at the time.)
The National Security Agency warning was not prompted by any recent uptick in criminals or nation-state adversaries using public internet to steal information or stage hacks, officials say. Instead, it appears to be part of a significantly accelerated U.S. government effort to raise awareness about a range of electronic vulnerabilities in recent months.
President Biden recently issued an executive order requiring software vendors who sell to the federal government to meet a series of cybersecurity standards. It also requires federal agencies to use two-factor authentication, the same way that consumers get a text message, with a code, from their bank before getting into their account.
On Wednesday, speaking at the Aspen Security Forum, Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, repeated her frequent warning that the administration had to make up for lost time by persuading the public, and companies, to adopt protections that should have been in place years ago. She said a key element of the administration’s strategy was “disrupting the ecosystem” that has made ransomware such a profitable pursuit, and acknowledged that the state of America’s defenses, and its resilience to attack, was still “inadequate.”