At a glance.
- Animadversions about cryptocurrency legislation.
- A US bureau of cyber statistics?
- More comment on the Senate report on Federal cybersecurity.
- NSA and CISA offer advice on securing Kubernetes clusters.
The EFF doesn’t like the US Infrastructure Bill’s cryptocurrency provisions.
The Electronic Frontier Foundation (EFF) says a “dangerous” and “poorly crafted” blockchain surveillance mandate “buried” in a draft of the Biden Administration’s infrastructure bill could sweep up miners, startups, and software developers in a new IRS definition of “broker,” which would require said parties to harvest users’ names, addresses, and other data. In addition to technical impossibility, the EFF argues, the provision would impose “clear and substantial harm” by jeopardizing privacy, security, and innovation.
White House considers establishing a bureau of cyber statistics.
Nextgov notes US National Cybersecurity Director Chris Inglis’ remarks on the Biden Administration’s current agnosticism regarding the formation of a Bureau of Cyber Statistics, delivered at a Monday Atlantic Council discussion. The CyberWire’s detailed account of the event is forthcoming.
A group of Senators last week introduced a bill that would, among other measures, establish the Bureau within the Department of Homeland Security. Inglis participated in the Cyberspace Solarium Commission, from which the proposal for a centralized database of cyber records (and for a National Cybersecurity Director) was born.
“It pains to say,” Inglis remarked, “that while the White House does not yet have an official policy on this…all would agree that in the absence of this information, we are going to be…less than optimal in our response.”
More on Federal agency cybersecurity shortfalls, from the Senate report.
The US Senate Committee on Homeland Security and Governmental Affairs staff report “Federal Cybersecurity: America’s Data Still at Risk” concludes, “Large-scale cyber incidents…make the longstanding vulnerabilities repeatedly documented by Inspector Generals all the more concerning.” The report notes that seven agencies—State, Housing, Transportation, Agriculture, Health, Social Security, and Education–“still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.” The agencies failed to fully deploy EINSTEIN, maintain asset inventories, protect PII, manage access, apply patches, and update unsupported software. Several of the failings identified were in violation of Federal law.
While the Department of Homeland Security showed significant improvement over the last audit, the report emphasizes that in 2019, “the agency responsible for implementing cybersecurity standards across the Federal Government received a failing grade for its own cybersecurity posture.”
Doug Britton, CEO of Haystack Solutions, calls the report "unnerving," and hopes it's seen as a call to action:
“This is an unnerving report and should be considered as a call to action. These agencies deal with data that reaches the heart of what helps our country work, regulating transportation, research, and social services. It is startling to see how basic cyber protections are still not yet in place as we continue to see significant breaches making headlines. We are under active threat and need to take immediate action and make significant investment into our cyber security infrastructure starting with our talent pipeline. We have the tools to find them regardless of their background. We need everyone we can muster to join this fight.”
Rajiv Pimplaskar, CRO of Veridium, points out that lapses of the kind the report documents aren't unusual:
“Since cyber security investment often lags cyber crime, such lapses are not unusual in the federal and commercial sector. As the report indicates, systems housing user data or Personally Identifiable Information (PII) are especially vulnerable as they present bad actors with a honeypot of valuable information. A core vulnerability that needs to be addressed across many environments is the over reliance on credential or password based authentication systems. According to the Verizon Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to credential theft. Passwords are often reused, can be socially engineered, brute forced or hacked leading to a proliferation of the attack via lateral movement.
"Federal Agencies can and should adopt passwordless authentication utilizing Phone as a token or FIDO2 security keys. Such solutions reduce the attack surface of credentials that can be exploited in a data breach making the environment impervious to such attacks. Further, such solutions also reduce friction enabling a better user experience.”
Jamie Lewis, Rain Capital Venture Partner, noted that their inherent responsibilities for broad collection and use of data puts Federal agencies at a high level of risk:
“Given the data they gather and functions they serve, government agencies face extraordinarily high levels of information security risk. Nation-states, criminals, and other actors bring sophisticated expertise and significant resources to bear in pursuing their objectives, and US government agencies are obvious targets. In short, economic well-being, public health, and critical infrastructure are all at risk, a fact that has become all too clear of late as attacks have escalated.
“Unfortunately, the news that our government agencies have not established comprehensive measures to manage these cybersecurity risks is not new. The report released by the Senate Homeland Security and Governmental Affairs Committee on Tuesday echoes previous reports issued by the Government Accountability Office (GAO) and other watchdog agencies. As the Senate committee, the GAO, and others have recommended, government agencies must develop a comprehensive and centralized strategy for national cybersecurity. That includes the implementation of government-wide cybersecurity initiatives and addressing weaknesses in federal agency information security programs.
“While such comprehensive approaches are clearly necessary, they take time to develop and deploy. In the meantime, government agencies can substantially enhance their security posture by improving their execution around basic security practices. These include streamlining the consistent and timely implementation of patches for known system vulnerabilities, increasing the security awareness of front-line employees, and creating better incident response programs. Government agencies must also limit the collection and use of personal information, which will reduce the risks they must manage.
“Perhaps most importantly, the mindset of agency leadership must change. Like much of the cybersecurity industry, most agency security programs have invested significantly more in prevention technologies and products than they have in detective systems. But those products are failing. Insider threats, social engineering, zero-day attacks, state-sponsored attackers, and many other factors have made an over-reliance on prevention a losing bet. Instead of pretending they can build impenetrable systems, government agencies must increase their ability to discover threats and orchestrate responses before they can do significant damage. Accomplishing that requires realigning both security architecture and the organization, which must come from the top.”
Erich Kron, security awareness advocate at KnowBe4, pointed out that government agencies are also enmeshed in various constraints that are often more restrictive than those the private sector faces. Much of the challenge may be cultural:
“The federal government is encumbered by a number of challenges not always present in the private sector. Financial constraints and slow-moving changes are significant issues within the public sector. Most parties are wanting to make the improvements that are required, however the bureaucracy often gets in the way. This can be very frustrating for the individuals trying to improve the organization’s security.
"A concerted and unified effort to improve the security posture across federal agencies is a much needed change. In the meantime, the organizations should focus on things that will provide big improvements with little cost. This includes things such as focusing on the human element and creating a more secure organizational culture.”
Advice on securing Kubernetes clusters.
In another instance of US agencies offering broadly available cybersecurity advice, NSA and CISA have issued joint guidance on Kubernetes configurations intended to help organizations build and maintain secure Kubernetes clusters.
The Cybersecurity and Infrastructure Security Agency (CISA) and NSA, GCN reports, yesterday published Kubernetes Hardening Guidance outlining pertinent threats and mitigations. The open-source container system is a popular target for data thieves, cryptojackers, and DoS attackers. Critical infrastructure, National Security Systems, and Government operators are counseled to conduct vulnerability scans and to segment and audit their networks in addition to setting up zero-trust architecture and strong authentication. The Cybersecurity Technical Report also recommends consistent patching and updating, NSA adds.
Trevor Morgan, product manager with data security specialists comforte AG, wrote to put the guidance in context as advocating "a robust, varied, and comprehensive" approach to security:
“The report issued by the NSA and CISA points to a growing problem in the cybersecurity space, namely the risks associated with data processed or housed within Kubernetes environments. The report rightfully acknowledges that sensitive data is the primary target in these environments, something that threat actors are desperate to obtain and subsequently leverage. Fortunately, the report does touch upon data protection as a preventative means of security, along with perimeter- and access-based security. The general message here is to have a robust, varied, and comprehensive cybersecurity strategy that doesn’t rely on just one or two methods to protect information.
"In particular, encryption is a method touched upon in the report, but enterprises need to be aware of the fact that encryption comes with its own issues, including sometimes complex key management and the fact that encrypting data doesn’t necessarily preserve data format. The latter can cause significant issues with enterprise applications, forcing in some cases a process of decrypting data in order to work with it. De-protecting data always generates risk. Better to consider data-centric methods of protection such as tokenization, which not only renders sensitive data meaningless to anyone trying to leverage it, but which also preserves the original format of that data making it very workable by enterprise applications. Best of all, it eliminates the need to de-protect data at any point within an enterprise workflow. The benefit of that should be perfectly clear—avoid having sensitive clear text within your workflows.”