At a glance.
- China's Mustang Panda resumes cyberespionage against religious minorities.
- ASD moves toward a more active role in cybersecurity and critical infrastructure protection.
- Notes on the incoming US Administration.
Beijing revs up snooping on Chinese Catholics and Vatican.
Proofpoint has spotted Mustang Panda gnawing on Myanmar, African diplomats, and the Vatican with teeth sharpened on a new Golang PlugX malware loader, after a respite over the recent national holiday to lick wounds inflicted by reports disclosing its tricks. The agile APT Panda routinely evolves its tools in an attempt to elude researchers and automated detectors.
Mustang Panda has a documented taste for Catholics. CyberScoop notes that the group is using spoofed email headers purporting to belong to Catholic journalists as part of its phishbait. Mustang Panda’s present efforts represent a resumption of targeting Recorded Future called out in July.
This round of social engineering bait plays off the re-upped Vatican-CCP pact and mimes journalists from the Union of Catholic Asia News. Proofpoint concludes that the cyberespionage actor puts the “persistent” in advanced persistent threat, and that continued, ongoing attacks should be expected.
Canberra to permit state intervention into cyberattacks, expand critical infrastructure protection.
The Australian Financial Review contends that draft amendments to the country’s Security and Critical Infrastructure Act position it as one of the leading Five Eyes. (Others suspect that Australia's sister Eyes are using Canberra as a guinea pig, noting that Australia was the first to test anti-encryption laws and anti-Huawei measures.)
The new rule would allow the Australian Signals Directorate to assume control of cyberattack responses “in extreme circumstances” when organizations fall short, with immunity from liability for negative outcomes. Some industry observers see lack of judicial oversight as a potential problem because cybersecurity experts won’t “know what they don’t know” about companies’ idiosyncratic setups.
The amendments also classify the food, healthcare, and higher education sectors as critical infrastructure (CI), likely a response to pandemic-illuminated Achilles’ heels. These sectors will need time to reach cybermaturity, a task Australian Information Security Association Chairman Damien Manuel complains has been made more difficult by government cuts to humanities departments. “[C]yber is really holistic,” he said, requiring knowledge of humans in addition to communication, critical thinking, and policy skills.
Notes on prospective senior members of the Biden Administration, from a cybersecurity point of view.
President-elect Biden’s transition is entering its formal stage. Some of the incoming Administration’s senior appointments will have significant responsibility for cybersecurity and related matters. Presumptive US President Elect Biden plans to nominate Avril Haines to lead DNI and Alejandro Mayorkas as head of DHS. Both served under former US President Obama, and “share a belief in…international cooperation, strong U.S. alliances and leadership, but a wariness of foreign interventions,” according to the New York Times. Mayorkas has worked as Deputy Homeland Security Secretary and US Citizenship and Immigration Services Director. Haines was Deputy Director of Central Intelligence, Deputy National Security Advisor, Senate Foreign Relations Committee Deputy Chief Counsel, and National Security Council Counsel.
We had occasion to hear Mr. Majorkas a few times during and shortly after his earlier tenure as Deputy Secretary of Homeland Security.
At the Billington International Cybersecurity Summit in April 2016, during his service at DHS, he singled out information-sharing among government and private actors as the centerpiece of the Department’s cybersecurity work. He regards this as a "curative" as opposed to an "accountability" function. He also expressed the opinion that such sharing should go on internationally as well as domestically, and that it should include the private sector, where companies should generally follow what he took to be the good example of the financial and utility sectors, where businesses didn’t compete on security, and where they generally held that “the cure of one should be the cure of all.”
In April of 2017, after leaving office and while he was working as a partner at Wilmer Hale, Majorkas offered some cautions about government regulation: It's very difficult for the government to establish standards across many areas of expertise, and he warned against moving too readily from "small-r" to "big-R" regulation. The cyber domain is, he argued, too dynamic to lend itself to quick and easy regulation. But he favored a modest incrementalism in establishing baseline standards of care. "It's woefully inadequate to define a standard of care in the crucible of the courtroom." But if we don't establish baseline standards of care and build from them, the courtroom is where they'll be defined.