At a glance.
- Mayorkas sworn in as Secretary of Homeland Security.
- Chinese threat actors found exploiting SolarWinds for access to the US National Finance Center.
- US Defense Department's cyber doctrine gets a look from the prospective Deputy Defense Secretary.
- Predictions of the direction of US privacy regulation.
Alejandro Mayorkas sworn in as Secretary of Homeland Security.
His confirmation by the US Senate complete, Alejandro Mayorkas was sworn in yesterday as Secretary of Homeland Security. A CyberScoop and others have observed, Mayorkas arrives with a reputation for interest in cybersecurity which he acquired during an earlier stint at DHS during the Obama Administration.
Second SolarWinds interloper named.
As we’ve seen, Solorigate investigators identified a second set of threat actors poking around SolarWinds software. Speaking on condition of anonymity, five sources told Reuters China is suspected. (Beijing’s foreign ministry commented that “China resolutely opposes and combats any form of cyberattacks and cyber theft.”) The sources said digital fingerprints matched those of China-sponsored spies.
Details are still a bit murky. The total number of victims is unknown, but the National Finance Center, which manages payroll for 600 thousand Government employees, is allegedly among them—though one spokesperson seemed to assert otherwise. SolarWinds claimed to have knowledge of only one victimized client (and no decisive evidence of whodunit.) The company issued a patch in December.
The hackers abused a different bug than Huggy Bear’s, in a different way. They used the flaw to move around previously compromised networks. The origin of the initial compromise has not yet been reported.
Tim Erlin, VP, product management and strategy at Tripwire, commented on this development:
“This attack seems to be an example of more traditional vulnerability exploitation. The attackers discovered a vulnerability in the software an organization was running and exploited it. Their attack didn’t involve compromising the supply chain.
"While we’re all focused on the complexity of protecting against supply-chain attacks, it’s important to remember that there are still other software vulnerabilities out there that attackers might exploit. Unfortunately, we can’t shift our focus to the supply chain, we can only add it to the threat model as another avenue for attack to worry about.”
Katie Nickels, director of intelligence at Red Canary, thinks more news of supply chain compromise are to be exected:
“We will likely see additional developments coming out for months about supply chain compromises, both related to SolarWinds and not. Researchers have been aware of the potential of large-scale supply chain compromises for quite some time. While we’ve seen some over the years, the SolarWinds incident, and compromises stemming from it, represents a new scale that hopefully will emphasize the importance of understanding third-party risks. It’s important to remember that part of the reason additional information continues coming out about SolarWinds-related incidents is that it appears at least two groups of actors are involved. As you add additional adversaries, this makes incident response and distinction of activity more challenging.
"This set of compromises has emphasized the need for basic security measures like asset inventory and knowing your network, including having a concise list of all third party providers being used. What we saw for the first week or two after the initial SolarWinds revelations was some organizations just trying to figure out whether they even use SolarWinds products. Every network has some type of dependency on third parties. It’s not realistic to expect that any network can be completely isolated from third party risk. We as a community should work to better understand the risks and secure those connections. As part of an overall security operations strategy, organizations must understand their network dependencies and how third party services and providers should and should not be communicating with their network.”
Pentagon nominee has a few questions about defend forward.
The Biden Administration’s nominee for Deputy Defense Secretary, Kathleen Hicks, supports defending forward, but would like clarity on the who, what, where, and how, according to Defense News. At her confirmation hearing, she wondered about “how the authorities are being executed, what kind of oversight is involved, how we are consulting with allies and partners, [and] whose systems we might operate on.” Hicks also shared that she doesn’t think Cyber Command is ready to split from the NSA.
2021 privacy policy predictions.
O'Melveny summarizes six data privacy and security developments to anticipate this year:
- “Consolidation and coordination of disparate technology security efforts”
- “Tackling the EU data problem”
- “Regulation of AI”
- “Ransomware reaching a breaking point”
- “Privacy laws - biometrics in the spotlight”
- “China privacy law developments”
The Biden Administration is expected to ramp up cooperative and regulatory efforts on initiatives ranging from Chinese tech to national privacy standards.