At a glance.
- Sanctions against Huawei are biting the company's bottom line.
- US Department of Homeland Security and the Intelligence Community look to supply chain security.
- Comment on the US Government's plans to increase resilience.
- Resilience at the local level.
US sanctions against Huawei appear to be having effect.
Washington’s anti-Huawei initiative is showing results, according to the Washington Post, as international smartphone and telecom tech sales drop and the company is forced to think domestic. The Trump Administration’s prohibition on semiconductor factories using US tools transacting with Huawei was apparently the last straw. One executive admitted it’s been “a really tough year,” and US sanctions had “a huge impact.” He added, however, that the policy will harm America’s standing in the long term, a sentiment echoed by some US semiconductor firms.
It’s not all bad news for Beijing, though. Huawei is pouring billions into R&D, setting its sights on emerging technologies like self-driving vehicles. And the South China Morning Post touts the Chinese Communist Party’s new data security agreement with the League of Arab States, the details of which are unclear, but involve protecting citizens from surveillance and elevating developing nations’ opinions. (China’s Initiative on Global Data Security, a reply to Washington’s Clean Network initiative, “received the cold shoulder” from the West.) The League of Arab States commented that it’s eager to bolster technological ties “with all partners.”
Noting that the Trump Administration brought Huawei “to its knees,” NPR considers President Biden’s position on the telecom giant, concluding that he “appears to want to keep the pressure on,” for now. The threat to US industry presents a countervailing concern, but the President is not keen to look “soft on China” given his opponents’ criticisms. A Huawei executive observed that unease over the “rise of China” is as much a factor in Huawei sanctions as security worries.
US prioritizes software supply chain security.
The National Counterintelligence and Security Center (NCSC) announced the Fourth Annual National Supply Chain Integrity Month, a “call-to-action campaign” involving the Cybersecurity and Infrastructure Security Agency (CISA), Federal Communications Commission, Defense Department’s Center for the Development of Security Excellence, and other stakeholders. The NCSC’s supply chain toolkit details threats and best practices.
In honor of National Supply Chain Integrity Month, CISA invites organizations to take advantage of the Information and Communications Technology Supply Chain Risk Management Task Force’s free resources. The Task Force, which has studied more than two-hundred supply chain threats in the past couple years, plans to release additional tools for evaluating vendors’ reliability in the near future.
Supply chains are vulnerable to global disasters, trade interruptions, and malicious operations, as we’ve seen this year, with the US’ economy and security on the line. The NCSC recommends the following fundamentals:
- “Diversify Supply Chains”
- “Mitigate Third-Party Risks”
- “Identify and Protect Crown Jewels”
- “Ensure Executive-Level Commitment”
- “Strengthen Partnerships”
SecurityWeek doubles down on the NCSC’s warning that foreign adversaries are targeting influential suppliers, recalling NotPetya’s mode of transit in an automated update to a tax preparation tool, and Holiday Bear’s recent gambit.
Industry comment on the Department of Homeland Security's plans for improving resilience.
The attention to the software supply chain as well as the security sprints the Department of Homeland Security is organizing are intended as steps in the direction of greater resiliency. Edgard Capdevielle, CEO of Nozomi Networks, gives the US Federal Government good reviews on its intentions, but notes that resiliency won't be achieved overnight, nor without a good deal of hard work:
“It's encouraging to see the White House, DHS, Congress and others in US government taking steps to strengthen efforts to protect our Nation's critical infrastructure from cyber threats. However, there is much work ahead to ensure we move forward with successful initiatives and best practices that secure our country in a reasonable timeframe.
"Critical infrastructure security has never been more important. In the face of so many threats and attacks, like SolarWinds, Microsoft and the Florida water treatment facility hack, we must step up efforts to develop effective coordination and collaboration across government agencies and with the private sector so that all are working together, and not in a vacuum or at cross-purposes.
"Public/private cooperation is critical too, and the efforts to drive this must be carefully designed so they are not too heavy-handed. New efforts must be effective without infringing on rights to privacy or unintentionally make it harder or even discouraging the private sector from working with the government. Partnership - and access to technology advancements that often come from smaller private vendors - is key.
"Regarding the new jobs and infrastructure plan announced this week, if cybersecurity isn't a key component of this new infrastructure then we won't meet all the requirements necessary to deliver the desired "resilience." The DHS and CISA need funding, municipalities need federal help. When appropriate financial resources are in place to enable these initiatives, that’s when we’ll start to make progress."
Questionable target selection, and a plea for bucking up local government resilience.
ABC News reports that the school district in Florida's Broward County has been hit with a ransomware attack. Chloé Messdaghi, Founder of WeAreHackerz, emailed us some thoughts on the implications of the incident. Broward County has a big school district, one of the larger ones in the US, but that doesn't necessarily make it a good target by the Willie Suttonesque standards criminals typically apply. The hoods responsible are unlikely to get the big payoff they expect, because public school districts (even?) in the US don't have particularly deep pockets, but the attack will nonetheless be damaging, for all the disappointment the criminal skids are likely to experience:
“This particular threat actor group is woefully underinformed, and based on their ransomware assumptions, is likely not from the US.
“US school districts may appear to some have large budgets, but almost all of those budgets are committed to ongoing expenses that are deeply and contractually committed. There’s little to no discretionary budget, and even core resources are underfunded. Not all that long ago, my public school textbooks were covered in years’ worth of markings from other students, and were written decades ago, back in the 70s and 80s.
“That the threat actors asked for $40 million and said they’d done their research merely proved that they were grossly uninformed. Asking for such an amount and saying you’ve done the research shows that.
“Demanding such high ransomware from a school district also shows the worst of criminal intent – especially at a time when schools are struggling to sustain education in the midst of the pandemic, while taking on the added missions of reaching those kids suffering from food insecurity and unsafe home lives. Every independent security researcher and legitimate hacker group out there is trying to prevent exactly this sort of problem."
"This attack underscores why cybersecurity for our public schools and local governmental agencies Must be part of the Infrastructure bill now being debated.
“The commercial and industrial sectors are learning that if they don’t invest in cybersecurity, they ultimately don’t have a product. The same holds true for the public sector – if local and state governments don’t invest in cybersecurity, they can’t effectively offer services and protect citizens’ data. Ultimately it impedes their ability to serve democracy on even the most basic levels, including protecting our childrens’ futures and offering fair and honest elections.
“School systems will remain top targets, both because they don’t have the funds or resources to put security first, and because the PII of children can be so lucrative.
“Once threat actors get a hold of kids' identities, they can take advantage and place victims’ lives and well-being at risk, both immediately and then down the road. The first clue a child might get that their identity has been stolen could be years down the road, when they’re turned down for college loans or credit. Kids have become automatic targets at young age.
“Now more than ever, we’ve got to support school infrastructures, including development of urgently needed cybersecurity infrastructure."
“It’s understood and is heartening that the massive infrastructure bill now being debated includes funding for cleaner and less plastic-laden water, safer transportation, the addressing of racial opportunity inequities, cleaner air and other urgent needs. The securing of kids’ identities is another critical element in securing our future, and that starts with establishing the cybersecurity infrastructure of our local school districts and local governmental cybersecurity."