At a glance.
- NCSC advises all British organizations to patch Microsoft Exchange Server as soon as possible.
- US FCC puts five Chinese companies on sanctions list.
- Gaps in food production cybersecurity?
- Observations on US cyber strategy.
- Holiday Bear and Hafnium: different kettles of fish.
UK: patch Microsoft Exchange Server today.
Britain’s National Cyber Security Centre (NCSC) echoed calls in the US and EU for immediate installation of Microsoft’s Exchange Server patch and warned organizations to “be alive to the threat of ransomware,” Insurance Journal reports. Roughly half of the UK’s approximately eight-thousand exposed servers have been patched.
When attribution matters: not only knowing who did it, but what you should do to them.
In a long essay published Friday by Lawfare, the Silverado Policy Accelerator's Dmitri Alperovitch and Ian Ward draw some distinctions that they argue should inform any US response to the recent campaigns by Holiday Bear (thought by many to be Russia's SVR) and Hafnium (Microsoft's name for the responsible Chinese intelligence unit). In brief, Holiday Bear's compromise of the SolarWinds supply chain is recognizably a familiar espionage operation. That suggests it ought to be dealt with in the ways governments typically deal with blown spy operations: increase counterintelligence efforts, take steps to contain the damage, and perhaps indict responsible individuals (if you can find them) or sanction them in some other way (as one might declare an intelligence officer operating under diplomatic cover persona non grata).
The mess that Hafnium presided over with respect to Microsoft Exchange Server vulnerabilities, however, strikes them as a different matter. The Chinese actors were reckless in their operation and indiscriminate in their apparent release of the exploits to equally reckless criminal gangs. The webshells in particular left the victims open to any crook with the ability to use them, and that's a pretty low barrier to entry. That mass hacking campaign was irresponsible, and may merit appropriate punishment by the international community.
US FCC places five Chinese companies on sanctions list.
The Federal Communications Commission has embargoed video surveillance and telecommunications tech from five Chinese vendors, according to Bloomberg Law, citing “an unacceptable risk to the national security.” The move falls under the Secure and Trusted Communications Networks Act of 2019. South China Morning Post notes that the list includes Huawei and ZTE.
Protecting the peanuts and Pepsi: a cyber gap in food safety regulation?
Control Global says Americans’ “food supply is neither cybersecure nor safe from control system cyber threats” since the President Obama-era Food Safety Modernization Act does not directly address cyber vulnerabilities. Incidents impacting electric grids, water utilities, and chemical plants are well-documented, and “the same control systems from the same vendors with the same vulnerabilities are used” in food factories. Pandemic-inspired remote access applications and the Holiday Bear gambol further raise the stakes for crucial networks. Solutions Review points to the reported Molson Coors ransomware attack as one example of what can happen: namely, ongoing interference with the beverage company’s manufacturing process.
Food Engineering reiterates that food and beverage sector industrial control systems (ICS) are not invulnerable to cyberattacks, highlighting an accelerating trend in control system vulnerability disclosures. Claroty VP Amir Preminger commented, “Nation-state actors are clearly looking at many aspects of the network perimeter to exploit, and cybercriminals are also focusing specifically on ICS processes.”
Notes on US cyber strategy.
The Council on Foreign Relations describes the Biden Administration’s cyber policy as characterized by commitments to democracy, defense, deterrence, diplomacy, and innovation. Democracy faces cyber challenges in the form of “election interference, disinformation, cyberattacks, and digital authoritarianism.” China and Russia represent intensifying threats, and the US is struggling to keep pace with the “technological revolution.” While the specifics of President Biden’s cyber policy have yet to crystalize, the Council believes the general trajectory is clear, and responds to “a fundamental debate about [the world’s] future direction.”