At a glance.
- Suit seeks FISC transparency.
- US begins 100-day grid security sprint.
- CISA directs Federal agencies to remediate Pulse Secure VPN vulnerabilities.
Suit seeks disclosure of post-9/11 FISC proceedings.
The Maryland Daily Record reports that civil liberties associations are petitioning the US Supreme Court on First Amendment grounds to reverse Foreign Intelligence Surveillance Court (FISC) decisions blocking access to past judgments impacting privacy rights. The New York Times highlights the role of Ted Olson, Solicitor General under President Geroge W. Bush, and the Wall Street Journal outlines the arguments on both sides.
Groups like the American Civil Liberties Union say that a healthy democracy demands transparency, and that the First Amendment supports a right to observe judicial decisions except where values like national security are on the line apply equally to FISC rulings. The Government has argued that potential harms to domestic safety, international relations, cross-sector collaboration, and intelligence community participation in the FISC process are overwhelming.
The suit covers rulings resulting in “novel or significant interpretations of law” delivered between 2001 and 2015, when the USA Freedom Act expanded public access to FISC decisions. The New York Times notes that the Supreme Court “has never agreed to review any” FISC judgments since the surveillance court’s inception in 1978.
Securing the US power grid.
The US has begun a hundred-day program to increase the cybersecurity of its power grid. The US Department of Energy describes the plan as “a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA).”
The Energy Department is soliciting input from industry. SecurityWeek observes that this hundred-day plan would be the effort Anne Neuberger, the Deputy National Security Advisor for Cyber, alluded to earlier this month as a project that was in the works.
The Energy Department singled out these features of the plan for special mention:
- "Encourages owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities;
- "Includes concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks;
- "Reinforces and enhances the cybersecurity posture of critical infrastructure information technology (IT) networks; and
- "Includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems."
We heard comment from a number of industry sources on the hundred-day plan. Purandar Das, CEO and Co-Founder of Sotero, wrote:
“It is encouraging to see the prioritization, by the administration, of protecting the country’s vital infrastructure. This is a long overdue action and will require a long-term commitment, by both the utilities and the administration, in terms of funding, prioritization and technology. One would assume that the 100-day initiative will result in a long-term strategy and a sustained drive to protect a vital part of the country’s infrastructure. Nothing short of a long-term investment strategy will enable the upgrade of legacy systems.”
Edgard Capdevielle, CEO of Nozomi Networks, sees what he calls a "sprint" as something that should be received with appropriate expectations:
“Regardless of the specific elements contained in the plan, there are upsides and downsides that should be kept in focus. First, it’s reactionary and meant to address past incidents. It’s not forward-thinking or future-proof, and doesn’t address incidents that haven’t been discovered or happened yet. On the upside, the fact we have a plan means the matter is being taken seriously at the highest levels of leadership. Whatever might ultimately prove to be right or wrong with the plan, it can be adjusted and improved upon as we execute. We should view this sprint, like others, as building blocks rather than silver bullets.”
Bryson Bort, CEO of SCYTHE, points out that the sprint is consistent with other announced policies:
"The 100-day grid security sprint echoes what Anne Neuberger has been saying about increasing visibility, being able to see and respond to malicious behavior, and transparency, establishing trust with the public that we’re safe, in our critical infrastructure. I believe the 100 day sprint will be more about establishing specific recommendations with the key question being answered of how do we help the smaller providers? Our resource challenges are funding, technology, and expertise.
"The reinstatement of EO 13920 clarifies that DOE will not include adversarial nations in the consideration for critical infrastructure technology and security.
"The 100 day sprint is meant to accomplish two things: 1) establish public trust in our electric grid; 2) create a roadmap for a more robust plan. The first is showing the government is aware of the challenges and is doing something. The longer term benefit which will accrue is increased detection capabilities which will reinforce that trust over the longer term."
John Callahan, CTO of Veridium, notes that energy is a foundational critical infrastructure sector:
"As U.S. DOE kicks off its 100-Day Plan to address cybersecurity risks to the U.S. Electric System, we note that energy is one of 16 sectors but it is a foundational sector due to the dependence of other sectors (information, healthcare, communications) on energy. One of the major problems in all of these sectors is the lack of interoperability between industrial control systems (ICS), operational technologies (OT) and Internet-of-Things (IoT) devices (and networks) in general. Today, the FIDO Alliance announced a better way to break through all the stovepipes of ICS/OT/IoT platforms that allows for a unified approach for systems of devices, access control to such systems, and onboarding trusted devices into such systems. The FIDO Device Onboarding (FDO) standard provides an automatic onboarding protocol for devices and permits late binding of device credentials so that one manufacturer's device may be onboarded across different platforms. The FIDO Alliance is a consortium of over 250 companies including Google, Microsoft, Veridium and Intel, dedicated to interoperability for critical control solutions."
CISA directs Federal civilian agencies to address Pulse Secure vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive mandating rapid remediation of vulnerabilities discovered in remote access software Ivanti Pulse Connect Secure, warning of “active exploitation” with the ability to establish persistent access. In light of “the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise,” CISA is requesting “emergency action.” The Agency’s companion Activity Alert notes that the breach has been ongoing since at least June of last year, and affects critical infrastructure and businesses as well as Government agencies.
Pulse Secure says it’s cooperating with CISA, FireEye, and Stroz Friedberg on the issue while “evolving standards of code development and conducting a full code integrity review.” The sum of impacted clients, the company claims, is “limited.” BleepingComputer cautiously links the attacks to Beijing-backed espionage group Keyhole Panda, describing the threat actors’ probable objective as IP theft, with a particular taste for EU and US defense assets. Other hackers have also taken advantage of the vulnerabilities, as CNN reports.
Purandar Das, CEO and Co-Founder at Sotero, sees the campaign as very much in the style of the SolarWinds campaign:
“It didn’t take long for a second attack using the SolarWinds approach. More evidence that SolarWinds attack where the hackers leveraged a widely used third party software as a vehicle may just be starting. Also, the move to remote works, caused by the pandemic, offered another potential access point for attackers. Both of these point to the resourcefulness and the constant search for new ways to hack into an enterprise. It also illustrates the premium that is placed on data and information, be it personal or organizational.”
We also received some comment from industry about the continuing utility, or otherwise, of virtual private networks. Gary Kinghorn, Marketing Director at Tempered Networks wrote, bluntly, "The VPN is dead, or should be. It's a gateway to a network that when breached provides extensive access to the rest of the organization. There are better approaches that can eliminate these vulnerabilities that include end-to-end encryption, cryptographically-verified identities of remote users and accessible devices, and shutting down the spread of threats that do penetrate the network perimeter with microsegmentation. It's taking a long time for mainframes to die, so we’ll probably see the same with VPN's."
Matias Katz, CEO of Byos, sees the incident as another argument for moving to a zero-trust approach: "The concept of a vulnerability on the perimeter highlights the need for adopting technologies that align with the notion of Zero Trust. Moving from perimeter-based networking model to one where decentralized security by micro-segmentation approach will help organizations minimize the impacts of security incidents."