Articles

Biden administration releases ambitious cybersecurity executive order

Though lacking in definitional clarity, this new executive order might be more effective than past federal efforts, especially in the wake of the Colonial Pipeline attack.

Capping a dramatic week that saw major oil pipeline provider Colonial Pipeline crippled by a ransomware attack, the Biden administration released a highly anticipated, far-reaching and complex Executive Order on Improving the Nation’s Cybersecurity. The executive order (EO) aims to chart a “new course to improve the nation’s cybersecurity and protect federal government networks.”

The ambitious document uses the SolarWinds and Microsoft Exchange supply chain hacks and the Colonial Pipeline ransomware infection as springboards for a series of initiatives that aim to minimize the frequency and impact of these kinds of incidents. These initiatives are:

  1. Remove barriers to threat information sharing between government and the private sector, particularly ensuring that IT service providers can share security breach information with the federal government.
  2. Modernize and implement stronger cybersecurity standards in the federal government, including a move to cloud services and zero-trust architectures and multi-factor authentication (MFA) and encryption mandates.
  3. Improve software supply chain security, including establishing baseline security standards for software development for software sold to the government. The Commerce Department must publish minimum elements for a software bill of materials (SBOM) that traces the individual components that make up software.
  4. Establish a cybersecurity safety review board consisting of government and private sector experts who convene following a significant cybersecurity incident to make recommendations, much like the National Transportation Safety Board (NTSB) does in the aftermath of a major transportation accident.
  5. Create a standard playbook for responding to incidents to ensure all federal agencies meet a standard playbook and set of definitions for incident response.
  6. Improve detection of cybersecurity incidents on federal government networks by enabling a government-wide endpoint detection and response (EDR) system and improved information sharing within the federal government.
  7. Improve investigative and remediation capabilities by creating cybersecurity event log requirements for all federal agencies.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Colonial Pipeline shutdown highlights need for better OT cybersecurity…

Experts weigh in on what the Colonial attack teaches critical infrastructure providers about preparation and incident response.

In one of the most disruptive cybersecurity incidents to take place in the United States, Georgia-based Colonial Pipeline announced late Friday that it was the victim of a cyberattack, later confirmed to be a ransomware attack. The company said it proactively took specific systems offline and halted all pipeline operations.

Colonial called in federal authorities and hired FireEye Mandiant to conduct an incident response investigation. On Sunday, the third day of its shutdown, Colonial said it was developing a system restart plan while keeping its four main oil lines offline. The company said it would bring its “full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”

News of Colonial’s shutdown reverberated all weekend throughout the cybersecurity world, given how critical Colonial’s pipeline business is to the nation’s economic health. Colonial transports 2.5 billion barrels of oil per day to the eastern US and connects to 30 refineries and almost 300 distribution terminals. It carries gas and other fuel from Texas to the Northeast, delivering around 45% of the fuel consumed on the East Coast.

The criticality of Colonial Pipeline to the national infrastructure became clear late Sunday when the Biden administration issued emergency waivers in response to the cyberattack, lifting limits on the transportation of fuels by road as fears of shortages begin to put upward pressure on oil and gas prices. Commerce Secretary Gina Raimondo said that the President had been briefed, and it’s an “all-hands-on-deck” situation to ensure the attack doesn’t disrupt the US oil supply.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by SELİM ARDA ERYILMAZ on Unsplash

 

Articles

Task force proposes framework for combatting ransomware

A diverse coalition of experts from business and the public sector present 48 recommendations for solving the ransomware crisis, including international cooperation and regulating cryptocurrencies.

Ransomware, the “perfect crime” of the internet era, is spreading rapidly, growing according to some accounts by 150% or more in 2020. There are no signs of a slow-down in 2021. The average ransom demanded by attackers jumped 43% from Q4 2020 to Q1 2021 to $220,298 as threat groups target bigger and more vulnerable organizations, from police forces to hospitals to municipal school districts.

Two significant factors aid the inevitability of ransomware. The first is the ease with which cybercriminals can earn money from their ransomware endeavors. The second factor bolstering the ransomware market is the inability of law enforcement or government officials to do much of anything about these kinds of attacks.

Acknowledging that the ransomware problem has gone from bad to worse, the Biden administration’s Justice Department has launched a task force that reportedly targets the entire digital ecosystem that supports ransomware. That task force consists of the Justice Department’s criminal, national security, and civil divisions, the Federal Bureau of Investigation (FBI), and the Executive Office of US Attorneys, which supports the 93 top federal prosecutors across the country.

Now a 60-plus member coalition of volunteer experts from industry, government, law enforcement, insurers, international organizations, and other areas has put forth a comprehensive framework of 48 actions that government and industry can pursue to disrupt the ransomware market. The Ransomware Task Force, primarily organized by the Institute for Security and Technology, is issuing a report today called Combatting Ransomware, A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Biden administration releases 100-day plan to address electric system…

The plan focuses largely on supply chain risks to the electric grid, requests input on the DOE’s role in coordinating cybersecurity efforts.

On April 20, the Biden administration, through the United States Department of Energy (DOE), issued what it is calling its 100-day plan to address cybersecurity risks to the US electric system. The plan is a coordinated effort among DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). It “represents swift, aggressive actions to confront cyber threats from adversaries who seek to compromise critical systems that are essential to US national and economic security,” according to the announcement.

The idea is that DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), working with utilities, will “continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.” To achieve this goal, the efforts undertaken in this “sprint” focus on encouraging power grid players to:

  1. Implement measures or technology that enhance their detection, mitigation and forensic capabilities.
  2. Deploy technologies that enable near real-time situational awareness and response capabilities in the critical industrial control system (ICS) and operational technology (OT) networks.
  3. Enhance the security posture of their IT networks.
  4. Deploy technologies to increase the visibility of threats in ICS and OT systems.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

US sanctions Russian government, security firms for SolarWinds breach,…

The Biden administration places economic sanctions on Russian government organizations, individuals, and companies including several security firms.

The Biden Administration announced a robust, coordinated series of punitive measures to confront Russia’s growing malign behavior, including its massive hack of SolarWind’s software, attempts to interfere with the 2020 elections, and other destructive deeds against the US. The administration’s actions levy financial sanctions on the country and the companies usually involved in malicious cyber activity against the US. It also exposes previously withheld details about the Russian ruling regime’s digital and disinformation operations. In addition to the White House, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Homeland Security, and Treasury Department all play a role in the complex set of actions against Russia.

First, President Biden signed a new sanctions executive order that strengthens authorities to “impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions.” Under the EO, the Treasury Department is implementing multiple actions to target “aggressive and harmful activities” against the Russian government, including a directive that “generally prohibits US financial institutions from participating in the primary market for ruble or non-ruble denominated bond issued after June 14, 2021.”

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Alejandro Mayorkas

Experts fear that Biden’s cybersecurity executive order will repeat…

President Biden is expected to issue an executive order soon in response to the SolarWinds and Exchange Server attacks. Leaked details suggest it might not focus on the most effective actions.

Since December, the US has been in a cybersecurity crisis following FireEye’s bombshell that Russian hackers implanted espionage malware throughout US private sector and government networks through the SolarWinds supply chain hack. Despite growing pressure from Congress, the still-new Biden administration has released few details on how it plans to respond to this massive intrusion or the more concerning discovery in January of widespread and scattershot attacks by Chinese state operatives on Microsoft Exchange email server software.

Although the administration reportedly won’t release a formal executive order (EO) addressing these and other cybersecurity matters for weeks, Alejandro Mayorkas, the new head of the Department of Homeland Security (DHS), did reveal that the administration is working on nearly a dozen actions for the order. Meanwhile, some details of the order have leaked, generating mostly skepticism among many top cybersecurity professionals.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash

 

Articles

States enact safe harbor laws against cyberattacks, but demand…

Connecticut might soon follow Ohio and Utah by enacting a law that offers liability protection against ransomware and other cyberattacks, but only if victims follow security best practices.

While sophisticated ransomware and nation-state threat actors target US critical infrastructure, the only protection most organizations have against these attacks is tight and effective cybersecurity. These attacks have drawn government attention and sparked calls for liability protection against malicious intrusions. If organizations want this protection, however, lawmakers say they need to step up their game to implement better cybersecurity practices.

During a Senate Intelligence Committee hearing last month, Chairman Mark Warner (D-VA) said, “While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene.”

“Cyber hygiene” is not enough, as former National Security Council (NSC) cybersecurity director Robert Knake recently wrote. “Basic cybersecurity hygiene, such as strong passwords, multifactor authentication, vulnerability patching, and next-generation antivirus software, is not sufficient against these groups,” Knake wrote. “Instead, organizations should invest in security and operational vigilance, as these actors will take advantage of any mistake that defenders make.”

Against the backdrop of this heightened federal-level focus, a number of states have quietly moved forward with their own liability exemption measures that seek to boost best cybersecurity practices. These states have enacted laws that incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Mackenzie Weber on Unsplash

 

Articles

US government calls for better information sharing in wake…

The Biden administration seeks ways to better gather and share security intelligence from the private sector, but experts see barriers to success.

As the federal government grapples with Russia and China’s widespread and damaging hacks, the Biden administration is seeking new methods for better early threat detection of these sophisticated intrusions. Both the SolarWinds espionage hack attributed to Russian operatives and the exploits of the Microsoft Exchange server vulnerabilities attributed to China were uncovered by private firms, cybersecurity giant FireEye and Microsoft.

Both attacks originated on servers within the US, placing them out of reach of the National Security Agency’s (NSA’s) powerful detection capabilities, which US law restricts to international activities. The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. The White House announced on March 17 the formation of a task force it calls the Unified Coordination Group consisting of federal and private sector representatives charged with finding a “whole of government” response to the Microsoft Exchange attack.

Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector. The concept is to set up a real-time threat sharing mechanism where data could be sent to a central repository and paired with intelligence gathered by the NSA and other intel agencies to provide organizations with more immediate threat warnings.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Clint Patterson on Unsplash

 

Articles

Why the Microsoft Exchange Server attack isn’t going away…

For some victims, patching and proper forensics will be difficult, plus new threat actors are now exploiting the same Exchange Server vulnerabilities.

On March 2, Microsoft revealed a critical cybersecurity offensive launched by a foreign adversary against organizations in the United States. The company attributed the attacks to a Chinese advanced persistent threat group it calls Hafnium. Microsoft quickly announced patches for the four previously unknown vulnerabilities in Exchange Server that the malicious actors had exploited.

Reports circulated last week that the hackers compromised at least 30,000, and likely hundreds of thousands, of unpatched Exchange servers. As a consequence, incident responders are working around the clock responding to this latest threat, which they consider an actual attack on public and government IT infrastructure, unlike the still-ongoing, primarily espionage-oriented SolarWinds hack.

The Biden Administration, already grappling with the fallout from the massive SolarWinds hack, which became public in December and has been widely, although not officially, attributed to Russian hackers, said it would take” a whole of government response to assess and address the impact.” Anne Neuberger, the deputy national security adviser for cybersecurity, leads that effort.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Clint Patterson on Unsplash

 

Articles

Virginia data protection bill signed into law

The state is the second in the nation to enact a consumer data protection law along the lines of the EU’s GDPR. Here’s what businesses need to know about Virginia’s CDPA.

On March 2, Virginia’s Democratic Governor Ralph Northam signed into law the nation’s second major piece of state legislation that governs consumer data privacy and protection. Virginia’s Consumer Data Protection Act (CDPA) follows the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. In a referendum last fall, California citizens voted to amend the CCPA by approving the California Privacy Rights and Enforcement Act (CPRA), which will mostly go into effect on January 1, 2023.

All three laws follow the European Union’s landmark data protection law, the General Data Protection Regulation (GDPR), implemented on May 25, 2018. Although the CCPA, CPRA and CDPA borrow heavily from the GDPR, each data privacy vehicle contains provisions that vary from the other laws.

Virginia’s CDPA, also set to go into effect January 2023, spells out a complex framework for how businesses or “persons conducting business in the Commonwealth” control or process data. The bill’s provisions apply only to businesses that control or process personal information of at least 100,000 consumers, defined as Virginia residents, or companies that control or process the data of at least 25,000 Virginia residents that also derive 50% or more of their gross revenue from the sale of personal data.

The legislation spells out that some organizations and data are exempt from the bill’s requirements. Among the exemptions in the CDPA are state and local governments, non-profit organizations, and higher education institutions. Information subject to the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), and personal data processed in employment contexts are also exempt. The bill further exempts institutions subject to the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash