At a glance.
- Private surveillance vendors and those who buy from them.
- A bipartisan Congressional report finds US Federal cybersecurity less than fully successful.
- Comment on the effects of SolarWinds exploitation on US Attorneys.
The growth of private surveillance vendors.
As France 24 prepares legal action over Pegasus Project revelations, according to the Guardian, and Israeli cyber firms participate in emergency meetings, CyberNews reviews the broad ecosystem of spyware vendors. Noting that Governments of all stripes have engaged spy outfits “for most of history,” the piece details the ascent of surveillance tools during the past two decades, starting with Italy’s Hacking Team and Germany’s FinFisher. Well-funded by private equity, the largely unregulated spyware industry took off in conjunction with the market for zero days. At present, dozens of firms sell to sixty-five-plus Governments.
Authoritarian states typically buy what they don’t know how to produce, whereas democratic countries launder their spying through companies to skirt domestic laws. (Other businesses like China’s Weibo and WeChat, and arguably the US’ Facebook and Twitter, collaborate with Governments to target and censor users, exposing greater volumes of private data than NSO Group.)
Some onlookers see regulation in spyware firms’ futures, with room for a mandatory vulnerability disclosure regime to throttle the zero day market, and demand for an anti-spyware industry to protect prominent targets and devise countermeasures. Others recognize the strategic, political, and economic importance of spyware firms to their host countries, and predict only greater profits for those currently receiving bad press.
US agencies in the cybersecurity doghouse.
The Record says a bipartisan Congressional review revealed numerous persistent cybersecurity failings across the US Federal Government. While the Department of Homeland Security received good marks, the report scolded Education, Transportation, State, Health, and others for dropping the ball “despite years of warnings.” Their “basic” failures included website vulnerabilities, exposed credit card numbers, accessible defunct classified accounts, and 14 thousand unaccounted for assets.
Senator Rob Portman (Republican of Ohio) commented that some of these shortcomings “have been outstanding for the better part of a decade” and leave “national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.”
The report advised revamping EINSTEIN, IT investments, and agency CIO authorities.
Comment on the compromise of US Attorneys during SolarWinds exploitation.
It emerged Friday, in a US Justice Department announcement, that the SolarWinds campaign successfully compromised email accounts in twenty-seven US Attorneys' offices. Most heavily affected were the US Attorneys for the Eastern, Northern, Southern, and Western Districts of New York, where some 80% of employees' Office 365 accounts were compromised. The US has attributed the SolarWinds campaign to Russia's SVR foreign intelligence service.
We heard from ExtraHop's Vice President for Global Security Programs, Mike Campfield, who observed that:
"As expected, months later organisations are still uncovering the effects of the sophisticated SUNBURST attack as email accounts belonging to the former acting head of the Department of Homeland Security (DHS) have been found to be breached. With this new information coming to light, we can assume we still don’t understand the full extent of the damage."
He thinks that visibility and behavioral detection systems afford the most promising ways an organization can prepare to survive this sort of attack:
"The SUNBURST hack must be taken as a wake-up call as these types of supply chain attacks continue to plague even the most sophisticated organizations. We know that there are going to be new exploits and unknown threats coming at enterprise and public sector organizations. Using signatures and rules to detect known attack vectors isn’t enough, and it hasn’t been for some time. The question is: how do you stop threats when you don’t know what you’re looking for?
"As a starting point, you need continuous, real-time visibility across your IT estate, not just at the edge but inside the perimeter. Network detection and response provides that critical visibility into activity––even covert activity––happening on the network. You also need behavioural detections that go beyond just rules and signatures so you can spot anomalies that indicate the presence of an unknown threat. Finally, you also need a way to take quick action to shut down post-compromise activity and investigate it fully to understand what data and systems were impacted––even if the dwell time lasted for months. The only way to do this is through intelligence at the network level."