[ad_1]
— This week, the Cybersecurity and Infrastructure Security Agency will release its long-awaited list. Cyber performance goals for critical infrastructure. But the guidance is voluntary, and Congress and the White House are divided over further regulation, raising questions about its implications.
Happy Monday and welcome to Morning Cybersecurity! In honor of the 60th anniversary of the Cuban Missile Crisis, today I would like to share a hot take on uranium levels.
I love “Doctor”. strange love,” But I love “failsafe”. It better represents the rational irrationality of Cold War-era nuclear strategists. It was a time when (most) good people felt they had to threaten humanity’s doom in order to save it.
Scary part? In “Failsafe” you can make eye contact with the wrong companion who tries to act crazy to prevent you from going crazy. It all makes sense until a mushroom cloud covers Moscow and New York.
And with that chipper note… it’s Morning Cyber time!
Any tips, feedback, or other clarifications? Send them to me [email protected]You can also follow @POLITICO Pro When @Morning CyberSec on Twitter. Full contact information for the team is below.
Would you like to receive this newsletter on weekdays?apply Politico ProYou can also receive daily policy news and other information you need to address the biggest news of the day.
life goals — On the surface, the release of a list of general-purpose cybersecurity performance goals for critical infrastructure is a major step forward for the Biden administration, replacing its predecessor’s sector-by-sector approach to securing the country’s most vulnerable networks. Unfortunately,” he called. It fell short when we announced the initiative last year.
But as industry resistance stifles other efforts in Congress to mandate stronger controls over the nation’s critical infrastructure, the White House has left the fragmented are increasingly retreating to a voluntary approach.
This calls into question the future, usefulness, and impact of new cyber performance targets that would have resulted in regulatory changes that may never materialize.
with bigger things in mind — When the Biden administration directed CISA to draft new cyber guidelines last year, it represented a first step toward a more ambitious regulatory project.
Essentially, the idea behind CPG was to create a set of high-priority security practices that all critical infrastructure operators should follow. This is guidance that addresses “not only risks to individual entities, but risks to nations as a whole.” indicated by the White House.
But a senior White House official later told the media that the goal was “absolutely” to let the operators of the country’s most important networks know that strict rules were in place.
gear sand — Since then, the White House has tapped existing federal regulators where possible. For example, we are issuing new rules to the railroad and airline industries to protect highly sensitive US networks. But industry resistance has hampered the White House and Congress’ most extensive regulatory projects.
For example, industry opponents have repeatedly delayed legislation to identify and protect the most critical infrastructure entities in the United States.
One thing to notice — As The Washington Post reported last month, CISA may come under pressure to water down future CPGs as industry pushes against the latest draft of the baseline target.
This push and pull will continue even after the new guidance is published. A CISA spokesperson told his MC that it will “maintain an open call for comment to welcome feedback on how the guidance will work in practice.”
what’s next — Once the CPG is released, CISA will begin working with other federal agencies on sector-specific goals and provide recommendations aligned with the new performance baselines.
Some federal agencies have regulatory authority over the sectors they oversee, so these sector-specific projects are where the government can get tough.As MC reported last week , Anne Neuberger, deputy national security adviser for cyber and emerging technologies, recently suggested that the White House would seek “creative interpretations” of existing laws to regulate specific sectors.
Industry feedback — A trade group representing big tech companies is urging lawmakers to reconsider a controversial provision in the upcoming defense policy bill that imposes a tougher security burden on contractors who provide software to government agencies.
In a letter Friday, the Alliance for Digital Innovation called on members of the House and Senate Armed Services Committees to remove text from the House version of the 2023 National Defense Authorization Act. It requires vendors to demonstrate that their software has no known vulnerabilities or exhibits vulnerabilities. We are planning to fix it. They also direct DHS to issue contract guidance that requires vendors to submit software bills of materials (the building blocks of specific code components) when they bid for contracts with the federal government. We want the text to be deleted by Congress.
Cuibono? — ADI, whose members include top federal IT providers Amazon Web Services, Google Cloud, Adobe, Okta, and VMware, has a vested interest in blocking laws that stifle government operations. Still, many independent critics agree that the law sets a high bar for vendors, especially when it comes to remediating vulnerabilities.
This is because all software has vulnerabilities and not all vulnerabilities are created equal.
A mandate to address all software bugs therefore undermines industry efforts to prioritize major vulnerabilities over minor ones, ADI and other industry groups said in another letter to Congress last month. claimed.
continue — In MC’s opinion, it is an unfair reading of the draft text and favors the hands of the private sector.
It’s worth tweaking the text, such as including Vulnerabilities, to eliminate potential confusion in the national database — but language that allows vendors to provide remediation plans in lieu of fixes provides leeway for vendors to continue selling their software, albeit imperfectly.
on the other side — Some proponents believe the provision could be a game-changer for US cybersecurity.
Last month, former White House cybersecurity adviser Michael Daniel told MC that existing market incentives favor vendors who act quickly when issuing new software and beef up security protections later. said the provision could “represent a huge market shift” for U.S. cybersecurity.
troubled pattern — A Russian-speaking ransomware group that claims to pursue profit over politics appears to be targeting Ukrainian government agencies with spear-phishing emails. warning from Ukrainian computer emergency response team.
Ukraine’s CERT has identified a “potential link” to a Cuban ransomware group. This is due to the use of a custom backdoor (code to maintain a covert foothold in the victim’s network), which the Cuban group debuted earlier this year.
see this space — the jury is out on this particular case, but it may fit a troubling pattern. Cuban ransomware groups, ostensibly criminals, seem unable to break their habit of targeting politically sensitive targets.
In December 2021, the FBI issued a warning about this group, indicating it had attacked 49 critical infrastructure entities in the United States. Earlier this summer, the group launched a massive ransomware campaign affecting government services in NATO member Montenegro.
your own medicine taste — A Russian-speaking ransomware group is breaking the first rule of the Ransomware Fight Club. Do not launch extortion attacks on Mother Russia.
The OldGremlin ransomware group has been targeting Russian companies since at least March 2020, according to researchers at Group-IB, a Singapore-based cybersecurity firm. The group uses custom his malware to compromise victims, in addition to open source and commercial exploitation tools. This suggests that this group has above average skills.
that’s why it caught our eye — Russian-speaking ransomware groups have tacit agreements with law enforcement agencies of Russia and the Commonwealth of Independent States. Local police won’t prosecute the group unless they attack a network near their home.
This is literally a coded code of criminal conduct. Many Russian-based ransomware groups configure their malware to not deploy to computers with the default language set to Cyrillic.
Lead to Slaughter — A malicious social engineering ploy originating in Asia is making its way into the English-speaking world, according to cybersecurity firm Proofpoint’s research this morning. Dubbed the “slaughter of pigs,” the ruse begins with the scammer indulging himself on unsuspecting social media users of his for an extended period of time. After gaining the victim’s trust, the scammers convince the victim to deposit funds into a fake cryptocurrency account, while the criminals inflate the victim’s account to convince them to continue investing. Based on the sophistication and breadth of the scheme, Proofpoint researchers believe a large criminal gang is behind it. Data cited in the report put her average loss from these scams at $122,000, but two-thirds of her victims were women aged 25 to 40. is.
Check out CISA Director Jen Easterly’s thread calling on technology vendors to introduce two-factor authentication for their users. Easterly and his senior technical adviser at CISA, Bob Lord, published a blog post last week about implementing MFA.
— Microsoft struggles to protect on-premises Exchange email servers. This is a pervasive technology that has been at the center of many large security incidents in recent times. (wired)
— Google is launching a new open source project to improve security in the software supply chain. (Google)
— The Russian-speaking hacktivists who launched DDoS attacks against U.S. websites weren’t meant to cause damage, say three academics who study cyber conflicts. (legal)
— Graphika is considering launching a “software-based multi-stakeholder threat center” to help defenders stop online misinformation and disinformation campaigns. (cyber scoop)
— Hackers leak stolen data from Iran’s nuclear power organization. (Reuters)
Chat now.
Stay in touch with the entire team: Eric Geller ([email protected]); Maggie Miller ([email protected]); John Sakelaliadis ([email protected]); and Heidi Voigt ([email protected]olitico.com).
[ad_2]
Source link