Cyber doctrine. CMMC and the information-sharing requirement. DoJ says no evidence of significant election fraud.

Summary

By the CyberWire staff

At a glance.

Cyber doctrine for the next administration?
Information-sharing under the Cybersecurity Maturity Model Certification (CMMC) program.
US Department of Justice reports finding no evidence of significant election fraud.

A cyber doctrine for a Biden Administration.

TAG Cyber CEO Edward Amoroso published national cybersecurity advice for US President-elect Biden on LinkedIn last week. Amoroso thinks the US should return focus from centralized offense to distributed defense, despite its greater difficulty. Since threat actors typically exploit local vulnerabilities, and CISOs often know what needs to be done but lack the resources, integrated initiatives like Einstein 2 should be phased out in favor of a “mosaic of distinct and diverse” efforts, with CISA funds and personnel reapportioned to frontline institutions, he says.

Amoroso also gripes that the US puts too much stock in friendly alliances and unfriendly pleas at the expense of domestic technical know-how, calling for a national cybersecurity program where youths would receive free college in exchange for five years of service.

In the comments section, the CISO of Eclipzo.io highlighted some benefits of centralization, including greater manpower and streamlined solutions.

CMMC raises information-sharing challenges.

The Information Technology Industry Council (ITI) says higher levels of Cybersecurity Maturity Model Certification (CMMC) appear to require information sharing that might be prohibitively pricey, Nextgov reports. CMMC came into force yesterday, and any comment-driven revisions will be implemented early next year.

Certification levels 4 and 5 include metrics related to APT defenses. CISA advises organizations to exchange TTP findings via Information Sharing and Analysis Centers (ISACs), but ISAC membership can be costly, and companies lack the liability shields to use other routes.

ITI is also worried about the risk posed by third party auditors, who will work as volunteers to certify roughly 300 thousand organizations. The Council hopes DoD will step in on assessments of higher security vendors. (A root concern seems to be threats to confidential business information or fairness posed by auditors with potential conflicts of interest or inadequate training.)

DOJ hasn’t found proof of widespread election fraud.

The Delaware Republic reports US Attorney General Barr yesterday informed the Associated Press the Justice Department has not “to date” uncovered “fraud on a scale that could have affected” the election’s outcome, in contrast to earlier cautionary statements about mail-in voting. President Trump’s lawyers responded that “there hasn’t been any semblance of a Department of Justice investigation,” and their legal struggle will continue.

Selected Reading

China drafts rules on mobile apps' collection of personal data (Reuters) China unveiled draft guidelines on Tuesday seeking to limit the scope of mobile apps' collection of personal data in the latest attempt to curb the sprawling technology sector.

Telia to remove all Huawei equipment in Lithuania (Reuters) Sweden's Telia Company will replace all 4G telecoms equipment from Huawei in Lithuania and will not use it for 5G networks, due to the geopolitical situation, its local head told the local BNS news agency.

The 2020 Amendment to the Act on the Protection of Personal Information of Japan (Lexology) The 2020 amendment to the Act on the Protection of Personal Information of Japan (the Act itself, "APPI," and this amendment, "2020 Amendment") was…

Trump Threatens to Veto Defense Bill if Tech Liability Shield Stands (Wall Street Journal) The president is demanding the termination of the broad legal immunity that social-media companies enjoy.

How The Biden Administration Might Change Cybersecurity (Governing) The incoming administration could mean significant changes for technology, especially where federal cybersecurity is concerned. The increased attention will no doubt mean big changes for state and local governments as well.

A Biden Doctrine for Cyber (LinkedIn) The first mistake the US federal government has made in cyber security since 2000 has been its mistaken belief that the best defense is a good offense. The truth instead is that the best defense is a good defense.

U.S. Federal Cybersecurity - A Look at the Computer Security Act of 1987 (The State of Security) The Computer Security Act was enacted to provide strong internal computer security governance for U.S. Federal agencies.

‘Start Of A New Day’: DoD’s New Cybersecurity Regs Take Effect Today (Breaking Defense) Designed to raise help secure the supply chain, CMMC requires the defense industrial base to secure Controlled Unclassified Information.

Cross-agency plans for space cybersecurity will strengthen the US in all domains (C4ISRNET) Just as cybersecurity has become an integrated element of terrestrial goods and services, the same level of resiliency and safeguards must apply in space.

Doing Things Differently at DISA (SIGNAL Magazine) The combat support agency seeks to drive innovation as it focuses on cybersecurity, infrastructure modernization and enterprise communications.

All Domain Requires New Requirements Process; DoD, Congress Must Compromise: Lt. Gen. Hinote (Breaking Defense) "We have got to come up with a compromise with the people's representatives when it comes to defining requirements in the future," he said.

Air Force Mulling New Career Fields for Coders, Data Analysts (Air Force Magazine) The Department of the Air Force is working to create new career fields in areas like software development and data science.

Massachusetts lawmakers vote to pass a statewide police ban on facial recognition (TechCrunch) The bill was finally passed after months of deadline.

Trump administration launches rewards program targeting North Korea and China (Washington Post) The Trump administration on Tuesday announced a $5 million reward for tips on sanctions-busting activities that allow North Korea to continue developing nuclear weapons and accused China of facilitating the illicit trade.

North Korea Rewards for Justice (US State Department) Rewards for justice North Korea Sections Sections Up to $5 Million Reward 01 In order to support international efforts to disrupt North Korea’s illicit activities, the State Department’s Rewards for Justice (RFJ) program offers rewards of up to $5 million for information that leads to the disruption of financial mechanisms of persons engaged in certain […]

Shadow Academy: Hiding in the shadows of Mabna Institute (RiskIQ) In early July 2020, RiskIQ began tracking a phishing campaign identified initially through our crawling infrastructure targeting higher education. Isolating the research scope from July 2020 into October 2020, RiskIQ uncovered 20 unique university targets in Australia, Afghanistan, UK, and the USA that had been targeted using similar tactics, techniques, and procedures (TTP) as Mabna Institute. The observed TTP’s alone can not directly attribute our research findings to Mabna Institute. Therefore RiskIQ has named actors identified during this research as "Shadow Academy."

Advanced Persistent Threat Actors Targeting U.S. Think Tanks (US-CERT) The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks.

WSJ News Exclusive | North Korean Hackers Are Said to Have Targeted Companies Working on Covid-19 Vaccines (Wall Street Journal) At least six pharmaceutical companies in the U.S., the U.K. and South Korea were targeted, according to people familiar with the matter.

State-Supported Actors Use Coin Miners to Stay Hidden (TechNadu) A group of Vietnamese hackers is planting Monero miners to create a false idea about the info-stealing intrusion.

Turla Crutch: Keeping the “back door” open (WeLiveSecurity) ESET researchers uncover a new backdoor, called Crutch, that the infamous Turla APT group has used for exfiltrating stolen documents to Dropbox.