Keeping Cozy Bear at bay. New European rules for Big Tech. US Labor Department zooms in on retirement account security.

Summary

By the CyberWire staff

At a glance.

Keeping Cozy Bear at bay.
New European rules for Big Tech.
US Labor Department zooms in on retirement account security.
Industry experts respond to the SolarWinds supply chain compromise.

Keeping Cozy Bear at bay.

Stanford Internet Observatory Director Alex Stamos argues in the Washington Post that the US needs a threefold inoculation against APT attacks like SolarWinds’:

1. A cyber analog to the National Transportation Safety Board to probe vulnerabilities, monitor breaches, and propose solutions, and a companion law requiring disclosure of all breaches. Currently, organizations can conceal breaches that don’t expose personal information.

2. Bolstered defensive capabilities via a beefed up CISA. One government official told Politico CISA seems “overwhelmed” at the moment. Another former official told AP News the attack is “a reminder that offense is easier than defense.” CISA has roughly two-thousand employees, while the NSA has over 40 thousand.

3. Cyber defense experts, instead of cyber lawyers, in high places. Stamos analogized that we wouldn’t appoint a malpractice lawyer surgeon general.

SC Media suggests SolarWinds clients form a “war room” in the interim to strategize against Cozy Bear, and stresses that the breach arose from a deeper defect than sloppy cyber hygiene. One Senator called the event “a massive national security failure.”

New European rules for Big Tech.

The Wall Street Journal reports that the EU and UK are contemplating the “most ambitious internet laws since GDPR.” Bills under consideration would tackle content moderation and monopolistic practices using the promise of dissolution and billion dollar penalties. The GDPR took four years to pass, and we can expect a similar timeline here.

Tech giants have cautioned in the past against regulation that could throttle innovation or freedom of speech. Facebook applauded this development, however, while Google and Amazon made noises about disparate treatment.

The rules would not touch the EU’s 230-like protections, but would impose additional responsibilities on large companies. An EU commissioner commented, “We will never say…that this company or that company is too big. But we will say that the bigger they are, the more obligations they have to fulfill.” One bill would require prodigious platforms to follow local laws in policing content and proactively address risky material.

US Labor Department zooms in on retirement account security.

Department of Labor retirement plan auditors are inquiring about companies’ cybersecurity policies and incident responses following a spate of lawsuits and an SEC warning about escalating attacks on financial advisors, according to the National Association of Plan Advisors. This new line of inquiry will test plan administrators’ protections of clients’ accounts and information.

Industry experts respond to the SolarWinds supply chain compromise.

A software supply chain compromise like the one currently unfolding from SolarWinds' Orion platform poses the particularly difficult challenge of third-, indeed nth-party risk. We've heard from several industry experts who offer perspective on how organizations might move forward.

While ordinary sound cyber hygiene isn't proof against nth-party risk, it nonetheless remains an indispensable starting point. “The SolarWinds attack raises important questions that will need to be answered as part of the currently underway investigation," Todd Moore, Senior VP, Encryption, at Thales wrote in an email. He added, "But the most important aspect will be to determine if foreign malware code was injected into their software environment undetected and how long was it there. As processes and security are evaluated, it’s important to remember that basic cyber hygiene, including multifactor authentication and proper code signing with strong certificate management, goes a long way to protecting valuable data and makes it more difficult to establish a foothold in critical systems.”

Jamil Jaffer, senior vice president for Strategy, Partnerships & Corporate Development at IronNet, explained why the SolarWinds compromise has been especially troubling:

"SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer's network. According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6% of its customers) deployed a version of the Orion platform that may have been compromised. Given previous attacks of this kind, it is likely that the scope of this threat is broader than the handful of agencies confirmed to be involved thus far. Moreover, it's worth noting that Secretary of State Pompeo suggested that a number of private sector entities were also likely targeted. Given the scope and nature of the vulnerability, and the ability to gain and escalate privileges in a significant way, it is important that affected entities apply the current patch available as well as any other appropriate patches as released.

"The jury is still out on whether or not this vulnerability has been exploited before and if it's part of a broader campaign. Although this event is certainly a big deal, the idea that foreign adversaries are leveraging attacks to collect intelligence is not a new concept. Moreover, there is no information yet to suggest that the access obtained through this vulnerability was used to manipulate, modify, or destroy information. Were such information to come to light, we might be presented with a very different scenario than what is currently before us.

"This event does highlight the challenge of managing the supply chain of individual organizations. Specifically, it demonstrates that even if a given organization has good defensive capabilities, it may be vulnerable to attacks targeting its vendors. Supply chain attacks, of course, are not new. Indeed, the classic story of the Trojan Horse itself is, in some sense, a supply chain attack. What is different about the modern era, of course, is how much of the modern supply chain relies on foreign sources. While this issue is not necessarily in play with this particular incident, our nation's reliance on foreign supply chains, particularly in China, are likely to continue to raise concerns. Moreover, this incident highlights the increasingly important national security role of a diverse set of agencies like the Departments of Treasury and Commerce and the increased threat of nation-state attacks targeting such agencies."

Selected Reading

US agencies, companies secure networks after huge hack (AP NEWS) U.S. government agencies and private companies rushed Monday to secure their computer networks following the disclosure of a sophisticated and long-running cyber-espionage...

Pentagon, State Department among agencies hacked: report (TheHill) Branches of the Department of Defense and the State Department were among the agencies hacked as part of a massive espionage attack aimed at the federal government by a nation state that came to light this week.&nbs

The Scope of the Latest Russian Hack on the U.S. Is Growing (Intelligencer) The Pentagon, State Department, and more was comprised, which the authorities were reportedly not aware of for months.

SolarWinds Hack Could Affect 18K Customers (KrebsOnSecurity) The still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers, the company said in a legal filing on Monday. Meanwhile, Microsoft should soon have some idea which and how many SolarWinds customers were affected, as it recently took possession of a key domain name…

Feds Still Trying to Determine How Screwed They Are After Massive SolarWinds Hack (Gizmodo) A cyberattack that began by targeting an IT firm used by numerous federal government agencies, Fortune 500 companies, and other high-value targets is shaping up to be a historic event.

The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it. (Washington Post) When Russian hackers first slipped their digital Trojan horses into federal government computer systems, probably sometime in the spring, they sat dormant for days, doing nothing but hiding. Then the malicious code sprang into action and began communicating with the outside world.

Foreign hackers pull off successful attack despite Cyber Command's 'defend forward' strategy (Washington Examiner) The U.S. government was successfully hit this year as part of a massive global cyberespionage operation, despite the National Security Agency and U.S. Cyber Command ramping up their “defend forward” strategy in recent years and going on offense around the world.

SolarWinds attack explained: And why it was so hard to detect (CSO Online) A group believed to be Russia's Cozy Bear gained access to government and other systems through a compromised update to SolarWinds' Orion software. Most organizations aren't prepared for this sort of software supply chain attack.

The SolarWinds attack and the limits of cyber hygiene (SC Media) The U.S. Treasury Department was part of a massive supply chain attack on the SolarWinds IT management platform by Russia’s APT 29 group. Today’s

Devastating SolarWinds Compromise Makes the Case for: Microsegmentation, Virtual Airgaps and Secure Overlay Fabrics (Tempered) The compromise of ubiquitous network management software from SolarWinds is the most recent reminder of how vulnerable existing networks still can be.

People affiliated with French military used Facebook to meddle in Africa (Washington Post) It’s the first time Facebook has identified people affiliated with a Western government for sanction

Removing Coordinated Inauthentic Behavior from France and Russia (About Facebook) We removed three separate networks of accounts originating in France and Russia that targeted multiple countries in North Africa and the Middle East.

French and Russian Influence Operations Go Head to Head Targeting Audiences in Africa (Graphika) French and Russian Influence Operations Go Head to Head Targeting Audiences in Africa

White House National Security Adviser O’Brien Cuts Trip Short to Address SolarWinds Hack (Wall Street Journal) U.S. government activating coordination group to respond to cyber intrusion.

Enough is enough. Here’s what we should do to defend against the next Russian cyberattacks. (Washington Post) The details are still trickling in, but it seems possible that the latest Russian cyberattacks against the Departments of Homeland Security, Treasury and State; the National Institutes of Health; and possibly dozens of companies and departments will turn out to be one of the most important hacking campaigns in history.

Tech Giants Face New Rules in Europe, Backed by Huge Fines (Wall Street Journal) European officials want new powers to oversee internal workings at large tech companies such as Facebook, backed by threats of multibillion-dollar fines, in a bid to expand their role as global tech enforcers.

China is 'Greatest Threat' Facing UK as it Seeks to 'Exploit Pandemic,' Warns Cyber Spy Agency Chief (Sputnik) Amid the ongoing pandemic that’s laid bare chinks in the UK’s cyber defences, the Government Communications Headquarters (GCHQ) and Ministry of Defence Chiefs spoke...

FCC order to "rip and replace" Chinese 5G gear will confront Biden - Roll Call (Roll Call) Timing of the Federal Communications Commission’s latest effort to rid U.S. wireless networks of equipment from Chinese companies Huawei and ZTE means it will fall to President-elect Joe Biden and Congress to take action.

DOL Stepping Up Cybersecurity Focus (National Association of Plan Advisors) There’s been increasing awareness—and litigation—regarding cyber security and participant accounts—and the Labor Department has taken notice.

At nearly a year old the Space Force joins the Intelligence Community (Federal News Network) The Space Force will be the 18th member of the collection of agencies providing national security information.

House GOP leaders ask Pelosi to remove Swalwell from Intelligence Committee (CNN) House Republicans sent a letter Tuesday to Speaker Nancy Pelosi asking that Democratic Rep. Eric Swalwell of California be removed from the House Intelligence Committee following a report that he had been targeted by a suspected Chinese intelligence operative as part of a broader effort to establish ties with US politicians.

Exclusive: States close to filing new Google antitrust suit (Politico PRO) The bipartisan case, led by the attorneys general of Colorado and Nebraska, could be filed as soon as Thursday.