At a glance.
- Naming and shaming (and sanctioning) Russia.
- NSA not seeking domestic surveillance authority.
- Proposals for aviation cyber resilience.
- Negotiating the US Defense Department's CMMC.
- China takes steps against "historical nihilism.
US unmasks Holiday Bear (and yep, it really was Cozy Bear), sanctions Russians, warns of ongoing compromise.
NSA along with the FBI and Cybersecurity and Infrastructure Security Agency published a Cybersecurity Advisory warning that Russia’s Foreign Intelligence Service (SVR), also known as Cozy Bear, is actively exploiting five vulnerabilities in US and allies’ networks. The agencies urge immediate investigation and remediation, cautioning that Cozy’s favorite techniques include “exploiting public-facing applications,” “leveraging external remote services,” “compromising supply chains,” “using valid accounts,” “exploiting software for credential access,” and “forging web credentials.”
Meanwhile, the Biden Administration is preparing to formally attribute Holiday Bear’s supply chain gambit to the SVR, then in response to the campaign and other recent Russian misbehavior, expel ten diplomats and broaden financial sanctions via executive order, according to the Wall Street Journal. The order will strengthen current bans on “trading in Russian government debt” by barring “U.S. financial institutions from buying new bonds directly from Russia’s central bank, finance ministry and the country’s massive sovereign-wealth fund after June 14.” The announcement of this and other sanctions was made this morning from the White House.
Daniel Castro, Vice President of the Information Technology and Innovation Foundation, offered some early industry reaction to the measures announced today. He gives it generally favorable reviews:
"Today the United States hit reset on the nation’s cybersecurity policy. Biden’s job is to make Putin and others realize the Trump era is over and there is a new sheriff in town. With today’s announcement, he’s off to a good start. The question is now whether the United States and its allies can consistently impose significant and proportionate costs on nations that engage in or support cyberattacks that undermine global security.
"The actions announced today will position the United States and its allies to be more prepared for future attacks. A key part of this strategy is better attribution to reliably identify the source of attacks. But it remains to be seen whether better attribution will cause Russia or China to change tactics. Put simply, a “name and shame” approach won’t work on the shameless, and both Russia and China have brazenly engaged in state-backed cyberattacks in recent years.
"The Biden administration should hope for the best but prepare for the worst, including deploying offensive countermeasures to respond to future incidents of state-backed cyberattacks and expanding its investment in defensive cybersecurity technologies and capabilities."
NSA really doesn’t want domestic surveillance authority.
FCW clarifies that NSA Director Nakasone is not, in his words at the Senate Intelligence Committee hearing on the Intelligence Community’s Annual Threat Assessment, “seeking legal authorities either for NSA or for US Cyber Command” in response to Cozy Bear’s gambol. Nakasone did not make clear, however, what remedy he is seeking to the oft-touted “blind spots” in domestic networks, though he did reiterate that private sector incentives stymie information sharing. FCW notes that the Director’s responses “seemed to frustrate lawmakers, who for months have pressed…for direct and expedient answers on how to prevent another intrusion.”
Nextgov’s impression was that improved public-private partnership was indeed the recommended solution. While lending support to breach notification regulation, Senator Wyden (Democrat of Oregon) countered that Federal agencies have work of their own to do first, since the intrusion also went undetected on fully “visible” Government networks.
World Economic Forum’s recommendations for aviation cyber resilience.
The World Economic Forum and Deloitte bring us a report intended to establish cyber standards for the aviation sector. “Pathways Towards a Cyber Resilient Aviation Industry” suggests the following global, domestic, and organizational strategies:
- “Aligning regulations globally”
- “Establishing a cyber resilience baseline”
- “Encouraging continuous assessments and industry benchmarking”
- “Developing information-sharing frameworks and standards”
- “Enabling systematic build up of skills”
- “Rewarding open communication on incidents”
- “Fostering a culture of cyber resilience”
- “Integrating cyber resilience into business resilience practice”
- “Going beyond compliance”
- “Ensuring systemic risk assessment and prioritization”
- “Collaborating ecosystem-wide”
- “Establishing ecosystem-wide cyber resilience plans”
The document marks aviation’s crucial role in vaccine transport and the accompanying risk of targeted cyberattacks.
Cybersecurity Maturity Model Certification.
National Defense addresses common CMMC questions. The Industrial Association cleared up the following: Vendors should feel free to ignore the word “pilot.” It refers to all CMMC contracts through 2026. There’s no public record of pathfinder contracts or scheduled assessments of Third Party Assessor Organizations. Processing time for Level Three compliance will hang on factors like size and present compliance.
Current contracts are not affected, only new or amended ones. Just one assessment is needed per organization. Compliance could be very expensive, and who should cover the costs is “hotly debated.” There are worries that the new requirements will be impossible for some organizations. There’s concern that vendors won’t have time to review CMMC rules with subcontractors. It’s not clear what will happen if subcontractors can’t comply.
CMMC does cover foreign vendors, but any suppliers of commercial-off-the-shelf goods that manage no controlled unclassified information (CUI) needn’t apply. CUI standards are less rigorous than those for confidential information. What counts as CUI is unclear: some think it must originate from the Government, others, that it can be developed down the line.
When Beijing’s hotline bling, that can only mean “historical nihilism.”
Reuters reports that the Cyberspace Administration of China has set up a tip line for residents to report online posts disparaging the CCP in the run up to the party’s one hundredth anniversary this summer. Casting anyone who “distorts” history, insults leaders and “heroes,” or rejects “the excellence of advanced socialist culture” as “historical nihilists,” the regulator encouraged the public to “actively play their part in supervising society…and enthusiastically report harmful information.” Beijing typically ramps up censorship in advance of national occasions; critics risk jail time.