At a glance.
- Updates on cyber talks between US and Russia.
- Finding clarity on duties of US cybersecurity officials.
- Will the final frontier become the next critical US industry?
- TSA’s cybersecurity regulation development faces scrutiny.
- Comment on the US Commerce Department's Entity List.
Updates on cyber talks between US and Russia.
The US Director of Central Intelligence William Burns met with Russia's Security Council secretary Nikolai Patrushev and other security officials in Moscow on Tuesday to discuss Russian cyberattacks against the US. "Dialogue at this level and on such sensitive issues is extremely important for bilateral relations and for exchanging views on the issues that we have," Kremlin spokesman Dmitry Peskov told Reuters. This is the latest in a series of talks regarding tensions between the two countries, indicating that both governments are seeking compromise despite rising tensions. Just yesterday the US Commerce Department added Russian cybersecurity company Positive Technologies to its blacklist, and on Tuesday Russia briefly detained former Belarussian hacker Sergei Pavlovich, who is wanted in the US, but according to Pavlovich he was later freed due to the lack of a Russia-US extradition agreement.
Finding clarity on duties of US cybersecurity officials.
The White House is drafting an executive order that will clarify the roles of its top federal cybersecurity officials, CyberScoop reports. National Cyber Director Chris Inglis’s office was established only in January of this year, and the order’s goal is to better define the office’s duties, as there has been some confusion about how the responsibilities of federal entities like the Department of Homeland Security’s Cybersecurity and Infrastructure Agency and Deputy National Security Adviser for Cyber and Emerging Technology overlap. A recent national cyber director “strategic intent statement” was intended to help clarify matters, but this executive order should lay to rest any outstanding questions. “We are in discussion within the White House about when and how to effect an executive order that would bring additional clarity to these roles and responsibilities,” Inglis explained, and it should help with the allocation of funding and staffing. In the meantime, the Wall Street Journal offers a helpful primer detailing the various roles of the US’s top cybersecurity officials as they currently stand.
Will the final frontier become the next critical US industry?
As the US economy becomes increasingly reliant on satellite-powered tools like GPS, questions have been raised about the vulnerability of space technology to cyberattacks. Industry forums like the Space Information Sharing and Analysis Center have been urging the White House to grant space systems a spot on the US’s list of critical industries (CI), the sixteen sectors that have been deemed deserving of special federal attention, including intelligence warnings about cyberthreats. However, at a recent satellite industry event, National Cyber Director Chris Inglis declared that space systems will not be added to this elite club. Inglis explained that many of the CI sectors already overlap with the space industry, like communications, which the Department of Homeland Security says includes “terrestrial, satellite, and wireless transmission systems.” Inglis told README “Risk does not neatly align to sector boundaries. So we’re going to walk, not so much away from the critical sectors, but towards this idea that what we’re really interested in is the threats that cut across those.”
TSA’s cybersecurity regulation development faces scrutiny.
Jeffrey Greene, chief of cyber response and policy at the US’s National Security Council cybersecurity directorate, says that the Transportation Security Administration (TSA) is considering a rule development process to clarify its cybersecurity stance. Nextgov explains that this process would be independent of the new security directives for freight, rail, and aviation industries announced earlier this month by Department of Homeland Security (DHS) Secretary Alejandro Mayorkas. “The TSA is also going to study a separate rulemaking process to develop a longer term regime to strengthen cybersecurity,” Green stated. The effort is in response to the National Security Telecommunications Advisory Committee’s recent approval of recommendations on software security assurance for critical infrastructure.
Meanwhile, in the wake of the Colonial Pipeline attack, a group of Republican senators has requested information about the TSA’s development of two pipeline security directives issued this summer. In a letter to DHS Inspector General Joseph Cuffari, MeriTalk reports, the senators inquired about reports that TSA and the Cybersecurity and Information Security Agency did not take into account industry feedback, and that the TSA failed to provide a draft of the directives to Congress. As the letter states, “We agree that critical infrastructure must be protected against cyber-attacks, particularly in the wake of the Colonial Pipeline ransomware attack, but the process by which TSA has issued these directives raises concerns.”
Comment on the US Commerce Department's Entity List.
Bill Lawrence, CISO, SecurityGate, commented with approval on the recent Department of Commerce decision to add to its Entity List four companies involved in selling intercept tools. Placement on the list will make it more difficult for the companies to gain or retain access to US-developed technology. Lawrence likes what he sees:
“Cyber tools used for spying operations have increased in capability but also notoriety in recent years. Here, the United States is on the side of the angels (relief organizations, dissidents, refugees, and more) that have been targeted and persecuted using information gained by authoritarian governments. Economic measures can be effective against these groups, although the effort can seem like hitting puddles with sledgehammers as they reform in other ways. Still, this is a good thing, and another would be if the US government stopped continually trying to get “back doors” installed in its own citizens’ electronics. For those concerned about the spy technology, keeping up-to-date operating systems and regularly rebooting (at least daily) seem to be effective.”
Comment on CISA's Binding Operational Directive 22-01.
CISA's Binding Operational Directive 22-01, binding on US Federal civilian agencies, but worth close consideration by the private sector as well, also drew favorable comment.
Tim Erlin, VP of Strategy at Tripwire, likes the common list of vulnerabilities, which he sees as an aid to sound setting of priorities:
“There is little doubt that patching vulnerabilities that are actively being exploited is a good idea. By providing a common list of vulnerabilities to target for remediation, CISA is effectively leveling the playing field for agencies in terms of prioritization. It’s no longer up to each individual agencies to decide which vulnerabilities are the highest priority to patch. The positive outcome to expect here is that agencies will address these vulnerabilities more effectively with this guidance. There’s also a risk that this approach won’t account for nuances in how risk is assessed for each agency, but there’s plenty of evidence that such nuances aren’t being accounted for now either.
"This binding directive can’t be viewed in a vacuum, however. This directive doesn’t do anything to improve any agencies operational capabilities to remediate vulnerabilities. That support has to come from other actions, such as the President’s Executive Order on cybersecurity.
"This directive does two things. First, it establishes an agreed upon list of vulnerabilities that are being actively exploited. That list is maintained by CISA. Second, it provides due dates for remediating those vulnerabilities. The two actions are tied together with the intent of dramatically reducing vulnerability risk for the US Government.”
Roger Grimes, Data Drive Defense Evangelist at KnowBe4, also thinks CISA has performed a valuable service by pointing out which vulnerabilities are the ones organizations need to worry about:
"What CISA is doing is great! They are to be applauded. They are doing a few things that I think are not getting enough press. First, they are culling out the number of patches that people need to be worried about. Each year, over 10,000 vulnerabilities are found that end up getting patched. Last year, it was 18,103 things. But only 2% of those exploits EVER get exploited in the wild by an attacker. Those are the only ones that we really need to be worried about and need to patch. But which ones? Well, CISA is now maintaining that list. They call it a vulnerability management catalog. But what they put in their log is only actively exploited vulnerabilities. So, you want to know what you really need to patch? There you go. Second, they say you have to mitigate the included new and existing 2021 vulnerabilities within two weeks. That solves another long-standing problem, which was how quickly to patch after the patch was released. Most regulations say something general, like "apply critical patches in a timely manner." CISA is telling you what is critical...it is in their catalog. Second, they are saying it needs to be done within two weeks (subject to change). There you go. They have officially defined "timely". Third, they mandated it across the government (with some notable exceptions). It takes all the fuzziness out of patch management. No one can say they did not understand what they needed to do regarding patch management. The U.S. government has now told you. I think any public company that does not follow this advice should be required to pass a "reasonable person" standard and explain why they are not doing what the U.S. government said every organization they control should be doing. Again, I congratulate CISA and Dir. Easterly. She has come in and in only a few months, started to aggressively push good information and advice several times a week. They are trying to educate more people in cybersecurity, provide more cybersecurity professionals to all companies and industries, and starting to define, in concrete, things that used to be more fuzzy. Exciting news."
And Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, offers an account of why organizations need this kind of guidance:
"It’s an unfortunate fact that some government agencies can be among the slowest institutions to implement security patches in a timely manner. There are three major things at play here. First, some agencies rely on software only compatible with unsupported underlying systems such as Windows Server 2003 or even Windows XP Embedded. It’s not uncommon for us to identify these legacy, and therefore unpatched and vulnerable systems only to be told they can’t be patched or upgraded as they would break the software package they depend on operationally, and that to migrate to a new solution is outside their immediate budget. This, however, is penny smart and pound foolish. With modern cyberattacks now routinely reaching into the millions of dollars of damages, especially with ransomware, leaving a known vulnerable system online becomes an expensive risk. The second factor can be organizational inertia. The standard change review and approval process can delay the implementation of security patches, leaving the organization at risk of significant damage in the meantime. This is not to say, however, that such processes should be abandoned altogether, after all, many vendors release patches that routinely break functionality in some way or another that you want to test out yourself to avoid unexpected outages. Rather, it’s important that the approval process has provisions for acceleration in place to more quickly address the most critical of risks, and that a ready to go test lab and validation testing protocol exists for quickly and efficiently testing out security patches for unforeseen adverse effects. The third thing that can cause extended delays in implementing critical patches is lack of insight on what vulnerable systems and applications are present in the environment. Orphaned or forgotten systems that are vulnerable to high severity exploits can blindside even the most otherwise efficiently run organizations. To have visibility into where risk lies, organizations should engage in frequent vulnerability scanning as well as routine penetration testing to identify any systems or applications that may have fallen through the cracks of the normal patch management and software lifecycle processes."