At a glance.
- Department of Defense issues information ops strategy.
- New FCC rules aim to quiet mobile account takeovers.
- Putting prison data under lock and key.
- CISA updates software attestation form for federal contracts.
Department of Defense issues information ops strategy.
On Friday the US Department of Defense (DoD) published a plan for information operations focused on addressing impending threats to national interests. The DoD states that the Strategy for Operations in the Information Environment (SOIE) “will improve the Department's ability to plan, resource, and apply informational power toward integrated deterrence, campaigning, and building enduring advantage,” goals outlined in last year’s 2022 National Defense Strategy (NDS). In the strategy’s preface Defense Secretary Lloyd Austin states, “As a key part of our ongoing work to implement the NDS, we are updating our strategy for operations in the information environment (OIE) and ensuring that we can deter challenges to U.S. vital national interests in any arena or domain. As this document lays out, the Department has formidable capabilities in the information environment that will help us increase our competitive advantages over our competitors and foes.” The strategy identifies four lines of effort: people and organizations; programs; policies and governance; and partnerships.
As the Washington Times notes, this fourth area of focus will include collaborating with “university-affiliated research centers (UARCs), commercial entities, industry, federally funded research and development centers; [non-government organizations]; and state, local, tribal, and territorial governments and agencies” with an aim toward fight disinformation from international rivals. Initiatives will rely on State Department officials working with joint forces commanders to combat false on unfavorable narratives from foreign sources, and Pentagon public affairs officers will serve as a “a key component of OIE across the competition continuum,” despite past criticism that these officials’ perspectives are sometimes colored by the media. As well, some right-wing stakeholders might worry that academics’ political takes are too progressive, but the strategy states that seeking scholarly viewpoints is necessary to combat information warfare from countries like China, Russia, Iran, and North Korea. “Each is becoming more assertive, using their informational capabilities to deny information accessibility and propagate malign influence, misinformation, disinformation, propaganda, and deception activities to influence and disrupt world order,” the report reads.
New FCC rules aim to quiet mobile account takeovers.
The US Federal Communications Commission (FCC) is issuing new rules to crack down on two types of scams that allow cybercriminals to hijack users’ mobile accounts: SIM-swapping and port-out fraud. With the former, fraudsters trick mobile carrier employees into handing over or changing users’ account passwords, and with the latter, they convince the staffer into transferring the mobile number to a new carrier. Once the scammer has accessed the user’s account, they can use it to bypass multifactor authentication and gain access to the target’s banking, crypto, or other financial accounts, and cybercriminals have even developed a SIM-swap-as-a-service industry that has helped threat groups infiltrate enterprise networks for major organizations. The Federal Bureau of Investigation receives thousands of consumer complaints about these scams yearly, and the Cyber Safety Review Board (CSRB) put a spotlight on how SIM-swapping has been used to target corporations.
As Security Week explains, the purpose of the new rules is to give consumers greater power over their mobile phone accounts, in the hopes of preventing such scams. Wireless carriers will be mandated to inform customers of any SIM transfer requests, and a revision to the FCC’s customer proprietary network information and local number portability rules will make it more challenging for fraudsters to get their hands on sensitive subscriber information. FCC chairwoman Jessica Rosenworcel explained, “We require wireless carriers to give subscribers more control over their accounts and provide notice to consumers whenever there is a SIM transfer request, in order to protect against fraudulent requests made by bad actors.”
However, as Ars Technica points out, the new rules might not be enough to thwart these attacks. These scammers have an uncanny ability to impersonate their targets, circumvent verification procedures, and swindle undertrained, underpaid wireless employees. The FCC has revealed no concrete details about what the new, stronger authentication methods will entail, choosing instead to allow wireless carriers “the flexibility to deliver the most advanced and appropriate fraud protection measures available.” Here’s hoping these measures, when clarified, are enough to outmaneuver savvy scammers.
Putting prison data under lock and key.
A 2020 cyberattack targeting an American communications firm serving individuals incarcerated in the US prison system has prompted the Federal Trade Commission (FTC) to issue a new incident disclosure rule. The company in question, formally called Global Tel*Link and recently rebranded as ViaPath Technologies, left personal prisoner data – in some cases including Social Security numbers – exposed on the internet during a software test. As Bank Info Security recounts, the oversight gave hackers access to info on hundreds of thousands of users that rely on Global Tel*Link for phone and video services, and the bounty amounting to billions of bytes of data. Making matters worse, Global Tel*Link failed to inform most of the impacted individuals for nearly nine months after the exposure, and this was after the company touted itself as being at the forefront of cybersecurity. The FTC’s new rules require Global Tel*Link to inform the FTC of any security incidents within ten days of reporting to any other authorities, and to notify impacted consumers and facilities within thirty days. As well, the company has agreed to adopt a more robust data security program that will be in place for the next twenty years, and to provide credit monitoring services for the victims of previous breaches. Director of the FTC's Bureau of Consumer Protection Sam Levine stated, “When consumers have little or no choice about whether to use a business's products or services, the business has an even greater responsibility to ensure that its practices don't cause harm."
CISA updates software attestation form for federal contracts.
In an effort to stress the importance of corporate cyber responsibility, the US Cybersecurity and Infrastructure Security Agency (CISA) is mandating that only top-level executives can sign off on a new secure software development attestation form for federal government agencies. The most recent draft of the form, which is part of the government’s efforts to push for secure-by-design practices in software development stemming from the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF), was released by CISA this week. On the heels of the Securities and Exchange Commission lawsuit against SolarWinds and its CISO for misleading stakeholders about the company’s cybersecurity weaknesses, the latest draft of the form is another signal that C-suite executives will be held accountable for their firms’ security issues.
The first draft would have allowed the software maker’s CEO to designate an employee to sign the form, but based on public comment in response to the first draft, now only the CEO himself or the COO is eligible to sign off. Jason Weiss, a former Defense Department chief software officer and current COO at TestifySec, Inc., told the Federal News Network, “In the past, there was very little reason for a COO or a CEO to go talk to an engineering manager or an engineering director to ask them about, ‘How do you make sure what you’re building is safe and resilient to the best that you can?’ And now, because of this attestation, they realize that they have to walk the halls and open those doors and have those types of conversations where none existed before.” The latest draft also includes a “good faith” element requiring the executive to pledge that, to the best of their knowledge, the company is using trusted source code. And one additional update: in lieu of signing the attestation, a company can submit an assessment completed by a Third Party Assessor Organization. While some industry groups recommended the form remove references to Software Bills of Material (SBOMs), considered by some insiders to be too new a concept, the draft authorizes agencies to use such tools to illustrate whether a product meets security standards.
Leopold Wildenauer, senior manager for public sector policy at the Information Technology Industry Council, praised the new draft, stating, “We encourage CISA and OMB to continue this partnership with trusted industry partners as the agencies address outstanding issues like the definition of responsibilities for complex systems and the development of a secure and centralized repository.” On the other hand, cybersecurity attorney Megan Brown feels the form is just one thread in an increasingly complex web of regulations. She stated, “There’s so many other activities underway, so I think there’s a question of, is this the best way to achieve their goals, which is to grab the procurement process and try and be aggressive using it, rather than letting some of these other processes play out?” The form will be open for comment to CISA and the White House Office of Management and Budget (OMB) until December 18. Once officially adopted, agencies will be required to start using the form within three months for all “critical software” and within six months for most other products.