OCCEAC Risk Partners: Public Sector

Greetings!

Prepared by the CyberWire (Thursday, December 8, 2016) — Ransomware attacks and distributed denial-of-service incidents were the most troubling forms of cyberattack on various, mostly commercial, enterprises over the past week. Government organizations should be alert to the same range of threats.

Last Wednesday, the US National Industrial Security Program (NISPOM) Change Two went into effect. It requires all Federal contractors with a facility clearance to self-certify that they have an insider threat management program in place. Affected companies must formally establish an insider threat program, with a responsible senior official in charge (an employee, not a third-party, and an appropriately cleared US citizen). They are also charged with reporting, training, and providing pertinent records. These requirements are widely believed to be in tension with US privacy and employment laws and regulations, and there are also some implicit jurisdictional conflicts for those who do business internationally. The requirements are thought likely to be particularly burdensome for smaller firms. Litigation is expected.

The US Presidential Commission on Cybersecurity reported last Friday. Insofar as the report has an overarching theme, that theme would be resilience. Its six "imperatives" address security, investment and innovation, consumer preparation for "a digital age," cybersecurity workforce development, more effective Government digital functioning, and fostering an open and secure global digital economy. The workforce imperative is receiving considerable initial attention. NSA in particular is said to be losing talent to the private sector, and the next Administration is being urged to recruit "100,000 hackers."

The Snooper's Charter became law in the UK. The US implemented changes to Rule 41, which governs the scope of warrants to collect information online pursuant to criminal investigations. Similarly expansive powers are under consideration in other jurisdictions.

Large tech firms are under pressure not only to be responsive to law enforcement agencies, but also to deal with online radicalization (this is aimed at countering ISIS recruitment and inspiration). They are pledging to do so. The EU has also put big tech firms on notice that they will be expected to promptly take down content officially regarded as "hate speech." Few think any of this will be easy. Whether or not such filtering amounts to objectionable censorship, the simple intensionality of human communication is not expected to yield easily to technical controls.

Tenable Network Security released its annual Global Cybersecurity Assurance Report Card on Monday, warning of the risk of emerging technologies and the "overwhelming threat environment." Tenable assesses the GPA for the countries surveyed at 1.6: India scores highest, with a B. Japan gets an F, the United States a gentleman's C+. The average is low across sectors, too: just 1.6. Retail leads with a C. Financial services, manufacturing, and telecommunications get a C-. Healthcare, education, and government lag with a D.

[450]

Selected Reading

Cyber Attacks, Emerging Threats, and New Vulnerabilities (5)

Cyber Trends (7)

Marketplace (3)

Technologies, Techniques, and Standards (9)

Design and Innovation (6)

Legislation, Policy, and Regulation (16)

Litigation, Investigation, and Law Enforcement (3)

Cyber Attacks, Emerging Threats, and New Vulnerabilities

WikiLeaks releases 2,000 files from German inquiry into NSA spying scandal (International Business Times) Whistleblowing website WikiLeaks has released a 90GB-sized trove of data relating to the ongoing German parliamentary inquiry into the relationship between the county's foreign intelligence agency – the Bundesnachrichtendienst (BND) – and the National Security Agency (NSA)…

Mandia: Russian State Hackers Changed The Game (Dark Reading) Founder of Mandiant and FireEye CEO says Russia doesn't appear to want to cover its tracks anymore…

Europol blames rogue officer for leak of 700 pages of data on serious crimes across Europe (Computing) Data on 54 European investigations leaked following security breach by "experienced" officer…

Shodan finds confidential Europol terrorist dossiers (SC Magazine) Unprotected classified Europol files were linked to the internet and accessible via a hard drive found through Shodan…

Europol Left Red-Faced After Terror Data Leak (Infosecurity Magazine) Europol has launched an internal investigation after an officer accidentally exposed highly sensitive material on terror suspects online after contravening internal security policies…

Cyber Trends

Nation-state hacking from Russia and China set to continue into 2017, experts warn (International Business Times) Most of the biggest hacks that will happen in 2017 are 'already under way'…

Government cybersecurity readiness declining, according to survey (Federal Times) The government sector is unprepared in aggregating risk intelligence and performing risk assessments, according to the 2017 Global Cybersecurity Assurance Report Card compiled by Tenable Network Security and research partner CyberEdge Group…

One-Fifth of Government Agencies Don't Encrypt Data (Infosecurity Magazine) Nearly 20% of government agencies using a public cloud do not encrypt data, but still see security as a top priority…

Global Cybersecurity 2017 Assurance Report Card (Tenable Network Security) In 2016, Tenable Network Security introduced its groundbreaking Global Cybersecurity Assurance Report Card to measure the attitudes and perception of 504 enterprise IT security practitioners across the globe. The report quantifies how security professionals rate their enterprise’s ability to both assess cybersecurity risks and mitigate threats. These scores were combined to produce a report card score on global cybersecurity status — whether or not the world’s cyber defenses are meeting expectations…

Intentional or not, insider threats are real (Help Net Security) Despite the perception that hackers are a company’s biggest cybersecurity threat, insiders, including careless or naive employees, are now viewed as an equally important problem, according to a survey by Dimensional Research…

Migrating to cloud is no security solution; here’s why it is a collective effort (Financial Express) According to the Forcepoint 2017 Cyber Security Prediction report, organisations think they get inherent security just by migrating to the cloud…

Cyber Security: It's About Creating A Strong Defense Mechanism (CXO Today) The IT security industry is clearly responding to an ever increasing number (and complexity) of attacks. In a recent conversation with CXOtoday, Sanjai Gangadharan, Regional Director, SAARC, A10 Networks, explains that as cyber-attacks take various forms, it is important to understand all the possible modes of assault, and guard against them…

Marketplace

DHS looks to Silicon Valley innovators for bank cyber-tech (FedScoop) Officials from DHS’ Science and Technology Directorate will roll out the latest offering from their $20 million innovation acquisition program Dec. 5…

Mandatory insider-threat detection program may help Booz Allen and hurt startups (CyberScoop) Newly implemented federal rules that call for the creation of mandatory insider-threat detection programs will make competing for lucrative U.S. intelligence and cybersecurity contracts increasingly difficult for smaller defense firms, experts tell CyberScoop…

National Shortage Highlights Urgent Need For Cybersecurity Pros (Channel Partners) If you’re skilled in cybersecurity, the national job market is your oyster…

Technologies, Techniques, and Standards

Safer, Less Vulnerable Software Is the Goal of New NIST Computer Publication (NIST) We can create software with 100 times fewer vulnerabilities than we do today, according to computer scientists at the National Institute of Standards and Technology (NIST). To get there, they recommend that coders adopt the approaches they have compiled in a new publication…

The Passwords You Should Never Use (SANS Internet Storm Center) New releases of bad or weak passwords lists are common[1][2] on the Internet…

Avast launches four new ransomware decryptors (Windows Report) The rise of ransomware has given a whole new world of meanings to cyber threat. It’s now one of the dangerous malware forms in that it locks users out of their computer and important files using robust encryption tools. Unless you pay the amount demanded by attackers, you’ll have to look for other ways to recover your data. Fortunately, some of the major security vendors got your back with free decryption tools…

Playing cyber defense is not enough to win (CSO) Sometimes offensive attacks are a necessary part of the game…

Hacking Attacks Raise Fears As U.S. Military Increasingly Outsources IT (Business Solutions) Security must extend to affiliated entities to ensure protection of sensitive data…

Laws, regulations and contracts that infosec pros should be familiar with (Help Net Security) If you’re a white hat and you want to continue being one, knowing what laws and industry regulations allow or not allow (or require or not require) you to do is of crucial importance…

Building a threat intelligence program? How to avoid the 'feed' frenzy (Tech Target) Cyberthreat intelligence is just data if it is not actionable. We offer tips to help your team focus on relevant CTI for faster threat detection and response…

Shadow IT And The Challenge Of Controlling The Cloud (Information Security Buzz) “Shadow IT” sounds like something you might see in a thriller starring Matt Damon, but it’s a clear and present danger for IT pros. It refers to the practice of people throughout a company setting up their own IT services without consulting with the IT department. It’s easy to do, thanks to the “consumerization of IT” trend and the availability of cheap or free cloud-based SaaS services from the likes of Dropbox, Google’s G Suite (formerly known as Google Apps), Microsoft Office 365, and Slack…

The Human Firewall: Why People Are Critical To Email Security (Dark Reading) Technology is just the beginning; employees must be fully on board with security procedures…

Design and Innovation

Facebook, Microsoft, Twitter and YouTube collaborate to remove ‘terrorist content’ from their services (TechCrunch) Facebook, Microsoft, Twitter and YouTube today announced they would cooperate on a plan to help limit the spread of terrorist content online. The companies said that together they will create a shared industry database that will be used to identify this content, including what they describe as the “most extreme and egregious terrorist images and videos” that have been removed from their respective services…

Facebook and Twitter Need to Shut Down Hate Speech Within 24 Hours, Europe Warns (Motherboard) Facebook, Twitter, YouTube and Microsoft aren’t responding to cases of online hate speech fast enough, according to the European Commission, which demands the technology companies review reports of hate speech less than 24 hours after they were first reported…

Facebook begins asking users to rate articles’ use of ‘misleading language’ (TechCrunch) A survey asking users about “misleading language” in posts is the latest indication that Facebook is facing up to what many see as its responsibility to get a handle on the fake news situation. At least part of its solution, it seems, is to ask users what they think is fake…

‘Rich irony’ as Facebook blocks extension to highlight fake news (Naked Security) Well, now, this is meta, said the creator of a fake-news labeling extension that Tech Crunch incorrectly identified as a new Facebook extension…

‘Spezgiving’: How Reddit’s CEO Tried And Failed to Troll the Trolls (Motherboard) Opening with the acronym for the phrase "Today I F[***]ed Up," what follows is an apology written by Reddit’s co-founder and current CEO, Steve Huffman…

Google Is Fighting Global Search Censorship In Canada's Supreme Court (Motherboard) A legal battle over the future of online censorship is raging in snowy Canada…

Legislation, Policy, and Regulation

Report on Securing and Growing the Digital Economy (Commission on Enhancing National Cybersecurity) Recognizing the extraordinary benefit interconnected technologies bring to our digital economy—and equally mindful of the accompanying challenges posed by threats to the security of the cyber landscape—President Obama established this Commission on Enhancing National Cybersecurity. He directed the Commission to assess the state of our nation’s cybersecurity, and he charged this group with developing actionable recommendations for securing the digital economy. The President asked that this enhanced cybersecurity be achieved while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the discovery and development of new technical solutions…

Statement by the President on the Report of the Commission on Enhancing National Cybersecurity (The White House) In February of this year, I directed the creation of a nonpartisan Commission on Enhancing National Cybersecurity, charging it with assessing the current state of cybersecurity in our country and recommending bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today’s digital world…

Donald Trump Advised to Train 100,000 Hackers to Protect the US (Softpedia) Commission tells Trump that cybersecurity is critical…

Obama Has a Plan to Fix Cybersecurity, But Its Success Depends on Trump (Wired) The Obama White House has had to reckon with cybersecurity like no other presidential administration in history, from China’s 2009 hack of Google, to the Office of Personnel Management breach, to the rise of botnets built from dangerously insecure “internet-of-things” devices…

DDoS, IoT Top Cybersecurity Priorities for 45th President (KrebsOnSecurity) Addressing distributed denial-of-service (DDoS) attacks designed to knock Web services offline and security concerns introduced by the so-called “Internet of Things” (IoT) should be top cybersecurity priorities for the 45th President of the United States, according to a newly released blue-ribbon report commissioned by President Obama…

Atkin: Cybersecurity, critical infrastructure will be challenges for Trump's DHS (Federal Times) Speaking at the Homeland Security & Defense Business Council’s annual gathering forecasting the state of the agency, Thomas Atkin outlined the challenges the Department of Homeland Security will continue to face in 2017…

The Internet Has Officially Become A Domain Of Warfare (Daily Caller) Congress plans on elevating the status of the U.S. Cyber Command, the cyberspace division of the armed forces, by making it its own fully unified department — a move signaling the U.S. military officially considers the internet a battle space, like air, land, space and sea…

Key Provisions in the Intelligence Authorization Act (FY'17) (Lawfare) On November 30th, the House passed H.R. 6393, the Intelligence Authorization Act for FY'17. While it remains to be seen what if anything ultimately emerges at the end of the process, I'd like to highlight some items in the current bill that I found particularly interesting…

Obscure legal change expands government hacking powers (Christian Science Monitor Passcode) A revision to the Federal Rules of Criminal Procedure allows law enforcement to hack suspects' computers regardless of jurisdiction. Civil liberties groups worry the change will harm individuals' privacy rights…

Opinion: Like it or not, government hackers gonna hack (Christian Science Monitor Passcode) Congress just implicitly blessed FBI hacking on a massive scale without any consideration of the privacy rights of innocent people. And even worse, they did it through an obscure process that minimized public debate…

Rule 41 Opponents Vow to Fight Government’s New Hacking Powers (Threatpost) A new rule goes into effect Thursday that gives law enforcement the ability to hack millions of computers or smartphones at once with a single search warrant. But opponents of the controversial Rule 41 say they are committed to fight the government’s expanded powers…

The FBI Should be Enhancing US Cybersecurity, Not Undermining It (Lawfare) I believe that lawful hacking is a legitimate and necessary way for law enforcement to handle certain investigations in the Digital Age. But as Steve Bellovin, Matt Blaze, Sandy Clark, and I said in our paper, the default on using a vulnerability should be to report it. One can have exceptions just as the intelligence community does, but these should be rare and only when the potential damage to innocent people is minimal…

Hacking: Not Just for the Feds! (Slate) The next big battles over law enforcement use of technology will involve local police…

Congress set to elevate CYBERCOM to unified combatant command (C4ISRNET) Congress is set to authorize the elevation of US Cyber Command, taking it from under the purview of US Strategic Command and making it a fully unified combatant command…

Server Location, Jurisdiction, and Server Location Requirements (Technology and Marketing Law Blog) At the recent “Law, Borders, and Speech” conference at Stanford, several participants debated the relevance of server location in determining jurisdiction. Some Silicon Valley attorneys at the conference argued that the location of a server should not be just one of the factors in a jurisdictional inquiry, but that it should be the determinative factor for jurisdiction…

Protecting Whistleblowers with Access to Classified Information (IC on the Record) Under the Third Open Government National Action Plan, issued on October 27, 2015, the Director of National Intelligence committed to develop a common whistleblower training curriculum that can be adopted by all federal agencies covered under Presidential Policy Directive 19, Protecting Whistleblowers with Access to Classified Information…

Litigation, Investigation, and Law Enforcement

Court upholds warrantless surveillance of U.S. citizens under Section 702 (TechCrunch) The U.S. federal appeals court has ruled in United States v. Mohamud, a case that began with a 2010 holiday bomb plot and will end with unique implications for the private digital communications of American citizens…

Court: Secret spying of would-be Christmas tree bomber was OK (Ars Technica) ACLU slams ruling, says this surveillance violates the constitution…

Child porn on government devices: A hidden security threat (Christian Science Monitor Passcode) Explicit images of minors, which have been discovered on federal workers' computers across the government, can be gateways for criminal hackers and foreign spies. What's the best way to combat the problem?…

 
OCCEAC Risk Partners
Compiled and published by the CyberWire editorial staff. Views and assertions in linked articles are those of the authors, not the CyberWire or the OCCEAC Risk Partners.