At a glance.
- Protecting US water systems from cyber attack.
- UK IoT cybersecurity bill.
- Israel seeks more control over cyber exports.
- US-Russian summit discusses Ukraine crisis, cybersecurity.
- Cyber conflict as the new norm of major power competition.
US moves to protect water system from cyberattacks.
As the cybersecurity of critical infrastructure systems remains at front of mind, US officials are drafting a proposal to protect the nation’s water supply networks. The Wall Street Journal reports that trade groups in the water sector are supplying feedback on where the industry's current tech stands and what the government can do to improve it. Kevin Morley, manager of federal relations for the American Water Works Association, explained, “It gives visibility to our federal partners. But how is that information shared back for the net good of the sector, or other sectors, for that matter?” Launched in April, the Industrial Control Systems Cybersecurity Initiative at first focused on electric utilities, then was expanded to include the natural gas supply, and now the water supply is the latest addition. This particular utility poses challenges as the water system is controlled by thousands of organizations, many of which utilize outdated technology with glaring vulnerabilities.
UK introduces IoT cybersecurity bill.
TechCrunch discusses the UK’s Product Security and Telecommunications Infrastructure bill, introduced in Parliament this week. Internet of Things devices have become easy targets for threat actors as these smart products have become more ubiquitous. Anti-virus firm Kaspersky reports there were 1.5 billion breaches of IoT devices in the first half of 2021 alone, nearly double the number of breaches in all of 2020. The bill highlights three main minimum security standards: a ban on universal preset default passwords, a manufacturer-provided point of contact for customers to report security issues, and regular communication with users regarding device security updates. Violators could face penalties of £10 million or 4% of the manufacturer’s annual revenue, and up to £20,000 a day for prolonged contravention. Some experts see the bill as a common sense measure, but dissenters worry the law could create more problems than it solves. Matt Middleton-Leal, managing director at Qualys, states, “Stopping default passwords is laudable, but if each device has a private password, then who is responsible for managing this?...This is dangerous territory where manufacturers may have to provide super-user accounts or backdoor access.”
Israel tightens its grip on cyber exports.
In the midst of controversy surrounding Israeli surveillance tech company NSO Group, Israel's Defense Ministry has announced it will be increasing its oversight of cyber exports, explaining that countries purchasing Israeli tech will be required to promise the products will only be used “for the investigation and prevention of terrorist acts and serious crimes only.” As ABC News explains, the new guidelines also more clearly define terrorism as “acts that are intended to threaten a population and may result in death, injury, hostage-taking and more,” and countries found in violation of the new measure could face sanctions. Though NSO was not mentioned in the Ministry’s announcement, it’s likely the move was motivated by the Pegasus software scandal, which resulted in a lawsuit from Apple and landed NSO on the US Commerce Department’s blacklist.
US and Russia to discuss rising tensions in Ukraine.
A virtual summit will take place today between US President Joe Biden and Russian President Vladimir Putin, and though details of the call have not been disclosed, experts posit Biden will likely urge Russia to decrease hostilities in Ukraine. As Newsweek notes, a senior Biden official indicated the US would like to avoid a direct clash with Russian forces, preferring instead to engage in “a combination of support for the Ukrainian military, strong economic countermeasures [and] a substantial increase in support and capabilities to our NATO allies to ensure they remain safe.” Breaking Defense explains US assistance could come in the form of providing US military support in an expansion of the 2014 European Reassurance Initiative. A US official remarked that, instead of resorting to traditional force, Russia could opt instead to engage in a cyberwar against Ukraine, “one in which they rely more heavily on information operations, cyber and destabilization activities.” The Record by Recorded Future adds that Russia has already increased social media activity promoting anti-Ukrainian propaganda, similar to what was seen before Russia’s 2014 invasion of Ukraine.
Early reports out of the summit indicate that the both sides took a relatively hard line; the two-hour discussion does not sound particularly irenic. Bloomberg quotes the Russian side as calling the tone "frank and businesslike." President Putin demanded a stop to NATO diplomatic and military rapprochements with the countries of the Near Abroad, since Russia views that as effectively a preparation for an attack on Russia itself. President Biden warned that Russian military action against Ukraine would draw severe economic sanctions. In the event of an invasion, US National Security Advisor Sullivan said the US would “provide additional defensive material to the Ukrainians, above and beyond that which we are already providing” Nothing has emerged so far on what, if any, cyber tensions were discussed during the session.
Cyber conflict as the new normal.
Mandiant has determined that the Russian threat actor behind the SolarWinds compromise (generally thought to be an operation of the SVR foreign intelligence service) hasn't withdrawn from that and other comparable operations. Microsoft, for its part, announced that it had taken down websites used by Chinese intelligence services to collect against "foreign ministries, think tanks and human rights organizations in the U.S. and 28 other countries, chiefly in Latin America and Europe." The AP summarizes the implications of both reports. Erich Kron, security awareness advocate at KnowBe4, commented that this kind of conflict is now the norm among competing powers:
“Cyberwarfare is now simply a part of modern geopolitical life, so we cannot expect these attacks to ease up any time soon, especially from state-sponsored actors. These attacks will continue to escalate as techniques improve and more resources are allocated to cyberwarfare.
"Because so much data is in digital formats these days, unlike earlier days of spycraft where humans on the ground played a key part of espionage, modern cyber espionage can be done from thousands of miles away. Also, significant data can be stolen in the blink of an eye, or active attacks, such as ransomware, launched at their leisure.
"Since many of these nation-states leverage social engineering and email phishing as the primary means of initial infiltration, organizations of all sizes would benefit greatly from a strong security awareness training program with a focus on changing the employees' behavior and a program where users report suspected phishing emails to security staff.”