At a glance.
- Workers at CSE vote to strike.
- US mulls and plans recovery from Solorigate.
- US House bill outlines cyber diplomacy goals.
- US Executive Order addresses supply chain resilience.
- PLA surveillance of Tibetan dissidents.
- Hiring Gamaredon to work against Ukraine.
Strike vote at Canadian intelligence agency.
Hundreds of Canada’s nearly three-thousand strong Communications Security Establishment (CSE) workforce cast their vote to strike for a pay increase that would bring salaries up to the private sector going rate, CBC News reports. The CSE handles “foreign intelligence and cybersecurity,” having blocked an attempt on coronavirus research last summer, for example. A union spokesman said management can prevent a strike by entering into negotiation or arbitration. CSE leadership assured the public that the show will go on uninterrupted with or without a walkout.
Recovering from Solorigate, and preventing a repetition.
Participants at Tuesday’s Senate Select Committee on Intelligence Solorigate hearing described the hack as the worst the world has seen to date, though Senator Rubio (Republican of Florida) cautioned against using the language of “attack” until we know the threat actors’ motives and the full scope of the damage. FireEye CEO Kevin Mandia’s characterization of the breach as precise, targeted collection threw cold water on the Administration’s recent attempts to differentiate the event as indiscriminate and destabilizing. Microsoft President Brad Smith floated potential alternative cyber norms: putting health care entities, electoral infrastructure, and patching and updating mechanisms off limits.
As ZDNet details, much of the conversation centered on mandatory disclosure and associated liability protections (an ask Nextgov says SolarWinds has emphasized). Senator Collins (Republican of Maine) underscored the need for reporting by pointing out that eighty-five percent of the US’ critical infrastructure is privately owned. Questions were raised about who should collect and act upon the disclosures, and what the threshold for disclosure should be. Some suggested Washington look to models from other industries like the financial and transportations sectors. Mandia recommended immediate, confidential threat intelligence sharing, followed up later by legal disclosure to impacted parties.
Smith said he would also like broader intragovernmental sharing permissions, noting that Solorigate reporting was slowed by contractual prohibitions. The SolarWinds and CrowdStrike CEOs added that a single Governmental point of contact or communication hub would be nice.
As the Wall Street Journal and C4ISRNET report, Smith and Mandia observed that smoother public-private information flow could have sped up diagnosis of the breach. Smith pointed to intelligence agencies’ domestic limitations, and Mandia commented, “The minute we disclosed what happened, it connected a lot of dots for a lot of folks.”
The Federal News Network reminds readers these proposals aren’t novel: Collins pitched mandatory disclosure in 2012, and the Cyberspace Solarium Commission called for improved intel sharing last year. The Washington Post attributes past inaction to “aggressive industry lobbying and Republican wariness over regulation.” Insurance Journal quotes a cybersecurity attorney’s opinion that “the chances of getting a federal omnibus privacy and data security law are looking more likely to happen next year” given Congress’ current preoccupation with Covid.
Mandia also advised the Government that its job is to “impose risk and repercussion” and determine attribution. Saying the private sector cannot continue to play goalie against “Wayne Gretzky,” he asked the Government to draw a clear red line. Senator Wyden (Democrat of Oregon) countered that companies’ Solorigate fatalism “leads to privacy-violating laws and billions of more taxpayer funds for cybersecurity.”
A bill in the US House addresses cyber diplomacy.
The text of a US House bill whose stated purpose is enhancement of cyber diplomacy is now available. The proposed measure would make it "the policy of the United States to work internationally to promote an open, interoperable, reliable, unfettered, and secure Internet governed by the multi-stakeholder model." That policy would work toward promotion of human rights, democracy, the rule of law (including freedom of expression), innovation, communication, and prosperity, and that would respect privacy and work against "deception, fraud, and theft." The legislators are looking at Russia and China, as the draft's "Findings" clearly indicate.
An Executive Order for supply chain resilience.
US President Biden yesterday signed an Executive Order directing a comprehensive review of the resilience of American supply chains. The order includes, but isn’t limited to, software supply chains. Other areas specifically addressed include biomedical supply chains, an obvious nod in the direction of COVID-19 vaccine development and delivery, and IT hardware. The several Cabinet Departments are directed to look at the chains they have a particular responsibility for or interest in, and the tasking runs through most of the Departments, from Agriculture to Transportation.
China's PLA operating a surveillance campaign directed against Tibetan dissidents.
Proofpoint this morning released a study of a Chinese People's Liberation Army threat actor ("TA413") that's deployed a malicious FireFox browser extension, "FriarFox," in a surveillance campaign directed against Tibetans. TA413 has also used Scanbox and Sepulcher malware in its operations so far this year. The unit's targets include Tibetan groups, both domestic and in the Tibetan diaspora. Proofpoint notes that TA413 isn't particularly sophisticated, but of course sophistication isn't an end in itself, and the threat actor is well-set up to work against its assigned targets, which present what Proofpoint calls a "low barrier to compromise."
Russian intelligence services believed to have hired Gamaredon to work against Ukrainian government targets.
Ukraine's National Security and Defense Council (NSDC) has accused Moscow of compromising a Ukrainian government file-sharing system, the System of Electronic Interaction of Executive Bodies (SEI EB). ZDNet thinks the group responsible is Gamaredon, a group widely regarded as a proxy for Russian intelligence services. The NSDC describes the operation as a software supply chain compromise. As the Council tweeted, “The attack belongs to the so-called supply chain attacks. Methods and means of carrying out this cyberattack allow to connect it with one of Russia's hacker spy groups.”