At a glance.
- US mulls responses to Solorigate.
- FSB warns Russian businesses to watch out for US cyberattacks.
- Cybersecurity Maturity Model Certification (CMMC) notes.
- Temporary suspension, pending further study, of US Executive Order on bulk power security.
How do you solve a problem like…Solorigate?
As we’ve seen, US President Biden has referred to Solorigate as an “attack,” (and others have questioned this label), which NBC News says represents “an important designation in the cybersecurity world, where a certain level of digital espionage is considered fair game.” The Administration has not yet revealed its next steps. Last Wednesday the White House Press Secretary commented that “we reserve the right to respond at a time and in a manner of our choosing to any cyberattack.” Thursday she said the Administration is working “to hold Russia to account for its reckless and adversarial actions. And to this end, the President is also issuing a tasking to the intelligence community for its full assessment of the SolarWinds cyber breach” and other Russian acts of aggression.
NBC reflects that Washington is often hesitant to overtly sanction perpetrators of cyberespionage. Following Beijing’s 2014 hack of the US Office of Management and Budget, for example, the Obama Administration did not “publicly retaliate or even stress Beijing’s guilt.” The US has, however, “called out a variety of government hacking campaigns when it wants to put guardrails on how other countries act in cyberspace.”
WENY adds that delays in filling top posts may postpone any response, while noting a Government official’s remarks to the effect that “there will almost certainly be a cost imposed for this activity” since “there is a price to be paid for getting caught, even if the attack technically falls within the lines of foreign espionage.” A former NSA director tempered expectations, cautioning that the US is “not prepared” for an escalation of the conflict.
FSB warns Russian businesses to BOLO US cyberattacks.
Russia’s FSB has issued an alert, “On the threat of targeted computer attacks,” warning businesses of increased likelihood of US cyber attack. “In the face of constant accusations against the Russian Federation by representatives of the United States and their allies of [Russian] involvement in organizing computer attacks, as well as threats from their side [of] ‘retaliatory’ attacks on the Russian Federation’s critical information infrastructure, we recommend taking the following measures to improve the security of information resources.” Those measures amount to sound if anodyne list of fifteen cyber hygiene best practices.
ZDNet characterizes the FSB's alert as a response to remarks by the new US Administration last Wednesday. Referring to Solorigate, a representative said, “we reserve the right to respond at a time and manner of our choosing to any cyberattack.” US officials have attributed the cyberespionage campaign to Russia. Russia has categorically denied any involvement.
SME says Cybersecurity Maturity Model Certification (CMMC) has even “the most staid of supply-chain leaders…scrambling,” but Smart Manufacturing’s Collective Intelligence roundtable is here to help. Roundtable experts reminded viewers that the CMMC’s third-party assessors “will be thorough,” and certification will require a significant amount of time. (For a small firm, the audit may take a few hundred hours.) Assessors will likely speak with employees, inspect documents and systems, and test operations.
There are no shortcuts. Smart products are no replacement for “developing an enterprise-wide culture of security,” and can actually multiply “targets for mischief.” And while NIST 800-171-compliant companies will have a head start, given the overlap with CMMC, they shouldn’t rest easy, but should perform self-assessments and contact clients with any questions.
Finally, vendors need to understand threat actors’ aims. Verizon’s 2020 data breach report identified money as motive behind the majority of breaches. SME notes that “[i]t’s cheaper and simpler to steal something than to design it yourself,” and everyone from small-time criminals leveraging ransomware as a service to the People’s Liberation Army takes advantage of this fact.
Executive Order excluding Chinese equipment from the US power grid temporarily suspended.
The flurry of Presidential actions last Wednesday had little direct effect on cybersecurity policy. One of President Biden's actions, however, did, suspending at least temporarily President Trump's order that would have excluded Chinese-manufactured hardware from the US electrical grid. The relevant portion of President Biden's Executive Order on Protecting Public Health and the Environment and Restoring Science to Tackle the Climate Crisis reads in part, "Executive Order 13920 of May 1, 2020 (Securing the United States Bulk-Power System), is hereby suspended for 90 days. The Secretary of Energy and the Director of OMB shall jointly consider whether to recommend that a replacement order be issued."