Articles

US sanctions Russian government, security firms for SolarWinds breach,…

The Biden administration places economic sanctions on Russian government organizations, individuals, and companies including several security firms.

The Biden Administration announced a robust, coordinated series of punitive measures to confront Russia’s growing malign behavior, including its massive hack of SolarWind’s software, attempts to interfere with the 2020 elections, and other destructive deeds against the US. The administration’s actions levy financial sanctions on the country and the companies usually involved in malicious cyber activity against the US. It also exposes previously withheld details about the Russian ruling regime’s digital and disinformation operations. In addition to the White House, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Homeland Security, and Treasury Department all play a role in the complex set of actions against Russia.

First, President Biden signed a new sanctions executive order that strengthens authorities to “impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions.” Under the EO, the Treasury Department is implementing multiple actions to target “aggressive and harmful activities” against the Russian government, including a directive that “generally prohibits US financial institutions from participating in the primary market for ruble or non-ruble denominated bond issued after June 14, 2021.”

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Alejandro Mayorkas

Experts fear that Biden’s cybersecurity executive order will repeat…

President Biden is expected to issue an executive order soon in response to the SolarWinds and Exchange Server attacks. Leaked details suggest it might not focus on the most effective actions.

Since December, the US has been in a cybersecurity crisis following FireEye’s bombshell that Russian hackers implanted espionage malware throughout US private sector and government networks through the SolarWinds supply chain hack. Despite growing pressure from Congress, the still-new Biden administration has released few details on how it plans to respond to this massive intrusion or the more concerning discovery in January of widespread and scattershot attacks by Chinese state operatives on Microsoft Exchange email server software.

Although the administration reportedly won’t release a formal executive order (EO) addressing these and other cybersecurity matters for weeks, Alejandro Mayorkas, the new head of the Department of Homeland Security (DHS), did reveal that the administration is working on nearly a dozen actions for the order. Meanwhile, some details of the order have leaked, generating mostly skepticism among many top cybersecurity professionals.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash

 

Articles

States enact safe harbor laws against cyberattacks, but demand…

Connecticut might soon follow Ohio and Utah by enacting a law that offers liability protection against ransomware and other cyberattacks, but only if victims follow security best practices.

While sophisticated ransomware and nation-state threat actors target US critical infrastructure, the only protection most organizations have against these attacks is tight and effective cybersecurity. These attacks have drawn government attention and sparked calls for liability protection against malicious intrusions. If organizations want this protection, however, lawmakers say they need to step up their game to implement better cybersecurity practices.

During a Senate Intelligence Committee hearing last month, Chairman Mark Warner (D-VA) said, “While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene.”

“Cyber hygiene” is not enough, as former National Security Council (NSC) cybersecurity director Robert Knake recently wrote. “Basic cybersecurity hygiene, such as strong passwords, multifactor authentication, vulnerability patching, and next-generation antivirus software, is not sufficient against these groups,” Knake wrote. “Instead, organizations should invest in security and operational vigilance, as these actors will take advantage of any mistake that defenders make.”

Against the backdrop of this heightened federal-level focus, a number of states have quietly moved forward with their own liability exemption measures that seek to boost best cybersecurity practices. These states have enacted laws that incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash

 

Articles

US government calls for better information sharing in wake…

The Biden administration seeks ways to better gather and share security intelligence from the private sector, but experts see barriers to success.

As the federal government grapples with Russia and China’s widespread and damaging hacks, the Biden administration is seeking new methods for better early threat detection of these sophisticated intrusions. Both the SolarWinds espionage hack attributed to Russian operatives and the exploits of the Microsoft Exchange server vulnerabilities attributed to China were uncovered by private firms, cybersecurity giant FireEye and Microsoft.

Both attacks originated on servers within the US, placing them out of reach of the National Security Agency’s (NSA’s) powerful detection capabilities, which US law restricts to international activities. The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. The White House announced on March 17 the formation of a task force it calls the Unified Coordination Group consisting of federal and private sector representatives charged with finding a “whole of government” response to the Microsoft Exchange attack.

Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector. The concept is to set up a real-time threat sharing mechanism where data could be sent to a central repository and paired with intelligence gathered by the NSA and other intel agencies to provide organizations with more immediate threat warnings.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Clint Patterson on Unsplash

 

Articles

Why the Microsoft Exchange Server attack isn’t going away…

For some victims, patching and proper forensics will be difficult, plus new threat actors are now exploiting the same Exchange Server vulnerabilities.

On March 2, Microsoft revealed a critical cybersecurity offensive launched by a foreign adversary against organizations in the United States. The company attributed the attacks to a Chinese advanced persistent threat group it calls Hafnium. Microsoft quickly announced patches for the four previously unknown vulnerabilities in Exchange Server that the malicious actors had exploited.

Reports circulated last week that the hackers compromised at least 30,000, and likely hundreds of thousands, of unpatched Exchange servers. As a consequence, incident responders are working around the clock responding to this latest threat, which they consider an actual attack on public and government IT infrastructure, unlike the still-ongoing, primarily espionage-oriented SolarWinds hack.

The Biden Administration, already grappling with the fallout from the massive SolarWinds hack, which became public in December and has been widely, although not officially, attributed to Russian hackers, said it would take” a whole of government response to assess and address the impact.” Anne Neuberger, the deputy national security adviser for cybersecurity, leads that effort.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Clint Patterson on Unsplash

 

Articles

Virginia data protection bill signed into law

The state is the second in the nation to enact a consumer data protection law along the lines of the EU’s GDPR. Here’s what businesses need to know about Virginia’s CDPA.

On March 2, Virginia’s Democratic Governor Ralph Northam signed into law the nation’s second major piece of state legislation that governs consumer data privacy and protection. Virginia’s Consumer Data Protection Act (CDPA) follows the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. In a referendum last fall, California citizens voted to amend the CCPA by approving the California Privacy Rights and Enforcement Act (CPRA), which will mostly go into effect on January 1, 2023.

All three laws follow the European Union’s landmark data protection law, the General Data Protection Regulation (GDPR), implemented on May 25, 2018. Although the CCPA, CPRA and CDPA borrow heavily from the GDPR, each data privacy vehicle contains provisions that vary from the other laws.

Virginia’s CDPA, also set to go into effect January 2023, spells out a complex framework for how businesses or “persons conducting business in the Commonwealth” control or process data. The bill’s provisions apply only to businesses that control or process personal information of at least 100,000 consumers, defined as Virginia residents, or companies that control or process the data of at least 25,000 Virginia residents that also derive 50% or more of their gross revenue from the sale of personal data.

The legislation spells out that some organizations and data are exempt from the bill’s requirements. Among the exemptions in the CDPA are state and local governments, non-profit organizations, and higher education institutions. Information subject to the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), and personal data processed in employment contexts are also exempt. The bill further exempts institutions subject to the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash

 

Articles

Cyber Diplomacy Act aims to elevate America’s global cybersecurity…

The new bill has bipartisan support to improve the US’s ability to prevent and respond to cyberattacks and correct missteps of the Trump administration.

On February 23, 2021, a bipartisan group of leading Congress members introduced the Cyber Diplomacy Act of 2021. Jim Langevin (D-RI), Chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems, and Republican Michael McCaul (R-TX), the Republican lead on the House Foreign Affairs Committee, are top sponsors of the legislation.

The bill, which revives legislation introduced during the last two Congresses, establishes an Office of International Cyberspace Policy within the State Department. It also aims to promote American international leadership on cybersecurity, a primary goal of the Cyberspace Solarium Commission, which Langevin co-chairs.

The bill creates a Bureau of International Cyberspace Policy in the Undersecretary of Political Affairs offices where it will guide policy across a diverse range of areas touched by cyberspace. “I have full confidence that this organizational change is going to best position the United States to reclaim its role as a global leader inside the diplomacy realm, which is very particularly urgent given the ever-changing array of threats that we face,” Langevin tells CSO. ” basically positions the State Department to be much better equipped to advocate on the international stage for cyber diplomacy-related issues. It hopefully undoes the damage that was done during the time of the previous administration,” he says.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by the blowup on Unsplash

 

Articles

New York issues cyber insurance framework as ransomware, SolarWinds…

The state looks to protect one of its core industries, which is threatened by mounting and potentially “unsustainable” losses due to the SolarWinds and ransomware attacks.

On February 4, 2021, New York became the first state in the nation to issue a cybersecurity insurance risk framework to all authorized property and casualty insurers. In releasing the framework, New York’s Department of Financial Services (DFS) said that “rom the rise of ransomware to the recently revealed SolarWinds-based cyber-espionage campaign, it is clear that cybersecurity is now critically important to almost every aspect of modern life—from consumer protection to national security.”

The framework applies to all property or casualty insurers that write cybersecurity insurance. However, the DFS wants all insurers, even though those that don’t offer cybersecurity insurance, to “still evaluate their exposure to ‘silent risk’ and take appropriate steps to reduce that exposure.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Scott Graham on Unsplash

 

Articles

Oldsmar cyberattack raises importance of water utility assessments, training

The attempt to poison a city’s water supply by remotely accessing its ICS underscores the need for cybersecurity assistance at under-resourced critical infrastructure facilities.

On Monday, February 8, a press conference hosted by Pinellas County, Florida, sheriff Bob Gualtieri dropped an industrial cybersecurity bombshell that reverberated worldwide. Gualtieri, along with the mayor and city manager of Oldsmar (population 15,000), revealed that a hacker had infiltrated the Oldsmar water treatment system to change the city’s water supply levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, is a highly caustic chemical that is a key ingredient in liquid drain cleaners.

The hackers gained unauthorized access to an internal industrial control system (ICS), likely using stolen or lost credentials, via TeamViewer, a remote desktop application that allows users to log into systems from afar, a ubiquity across many organizations during the COVID-19 crisis. Gualtieri and the city officials offered only a few other details of the disturbing breach.

The attacker was caught in the act by a water utility employee who happened to see the cursor moving on the screen executing commands which were discovered hours later to be the malicious chemical composition changes. When the changes were discovered, the sodium hydroxide levels were restored to their original levels and no harm was done to the water supply. System checks and redundancies would have caught the deadly changes anyway, the officials maintained.

No one has yet determined whether the hacker was domestic or originated outside the United States. The FBI and the Secret Service are working on an investigation.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Sime Basioli on Unsplash

 

Articles

Biden administration brings expertise, new attitude to cybersecurity

The US president promises a reckoning for SolarWinds hackers and places cybersecurity at the top of the administration’s agenda.

The Biden administration has hit the ground running on cybersecurity, reportedly getting ready to nominate what some have called a “world-class” cybersecurity team of officials and prioritizing efforts to tackle the worst hack in US history, the SolarWinds breach. The renewed effort to tackle cybersecurity matters couldn’t come soon enough. The Trump administration all but gutted the White House and other government offices of cybersecurity expertise. In a series of steps that started with the elimination of a White House cybersecurity coordinator and ended with the firing of Christopher Krebs, the highly respected head of the Cybersecurity and Infrastructure Security Agency (CISA), the government suffered a serious cybersecurity brain drain during the Trump era.

The first sign that the current administration plans to take cybersecurity more seriously than the previous one did is the hiring of National Security Agency (NSA) official Anne Neuberger to fill the new position of Deputy National Security Adviser for cyber and emerging technology. Neuberger led the NSA’s cybersecurity defense operations and created the Russia small group at the agency to protect the 2018 mid-term elections from the kind of digital damage that marred the 2016 presidential election.

Biden has also tapped former senior national security officials with expertise in cybersecurity. Among them are Michael Sulmeyer, who serves as senior director for cybersecurity; Elizabeth Sherwood-Randall, named homeland security adviser; Russ Travers, deputy homeland security adviser; and Caitlin Durkovich, now a senior director for resilience and response at the National Security Council.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by René DeAnda on Unsplash