At a glance.
- US interagency alert warns Cleared Defense Contractors.
- Security nutrition labels.
- Kids Online Safety Act introduced in US Senate.
US interagency alert warns about Russian operation targeting defense contractors.
An alert was issued yesterday by the Cybersecurity and Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) stating that Russian state-sponsored threat actors have been targeting security-cleared defense contractors (CDCs) supporting the US Army, Air Force, Navy, Space Force, Department of Defense, and Intelligence programs for at least two years. The alert states “The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.”
The warning is significant in that it demonstrates the way in which CISA, the FBI, and NSA are joining forces to combat threats. The agencies offer detailed detection strategies, including reviewing logs for suspicious logins, or evidence of one IP address used across multiple accounts. The alert also advises potential targets to use such mitigation methods as enabling multifactor authentication, requiring strong passwords, and account lockout and time-based access features. As the Verge notes, the agencies’ willingness to directly attribute the activities to Russian state-sponsored actors is a meaningful statement in itself, as growing unrest on the Russo-Ukrainian border has US officials on alert for malicious Russian cyberactivity.
Tim Erlin, VP of strategy at cybersecurity company Tripwire, wrote to express approval of this approach:
“Kudos to CISA for including meaningful mitigations in this advisory. Unfortunately, as is often the case with changes in the threat landscape, the risk mitigation actions are all relatively complex to implement. While these mitigations are core security controls that organizations should be implementing already, it’s important that we not let the perfect be the enemy of the good. It’s possible to gain incremental benefit from incremental implementation. Cleared Defense Contractors should use the list of mitigations in the advisory as a checklist to identify areas of improvement that they can prioritize.”
Behind NIST’s cybersecurity nutrition labels program.
In accordance with a key provision in the Executive Order (EO) on Improving the Nation’s Cybersecurity issued by US President Joe Biden last May, the National Institute of Standards and Technology (NIST) has been hard at work developing a cybersecurity “nutrition labels” program for consumer software and Internet of Things (IoT) products. The program’s goal is to better inform consumers about the cybersecurity policies of the products they use by including easy-to-understand labels detailing the product’s cybersecurity standards.
NIST offers an overview of their approach to establishing labeling criteria that are technical enough to be understood by product developers while still being transparent enough to be comprehensible by the typical consumer. NIST Computer Scientist Michael Ogata explains that NIST’s software recommendations are split into two groups: descriptive claims, which identify important facts about the label and the software being labeled, and secure software development claims, which explain what industry best practices were used during the product’s development. Katerina Megas, program manager for NIST’s Cybersecurity for IoT program, adds that NIST first researched what schemes already existed, then used that information to develop core principles for the program, incorporating input from stakeholders. “Hearing from a wide range of stakeholders representing diverse perspectives – consumers, cybersecurity researchers, and manufacturers – we developed and refined our recommendations,” she explains. The next step is to pilot the program and gather feedback from labeling scheme owners.
New US law puts child safety ahead of “eyeballs and dollars.”
The Washington Post reports the long-awaited Kids Online Safety Act has finally been unveiled by Senators Richard Blumenthal (Democrat of Connecticut) and Marsha Blackburn (Republican of Tennessee). Applicable to any site or app available to children under sixteen, the bill requires these platforms to create features that grant parents the power to limit their children’s screen time and protect their data. Parents must also be given the ability to alter a platform’s recommendation algorithm to ensure that children aren’t offered content deemed inappropriate. The bill requires these sites to block content promoting self-harm, eating disorders, bullying, or sexual abuse of minors.
The measure arrives after months of congressional investigation into child safety, sparked by documents exposed last year by Facebook whistleblower Frances Haugen indicating the social media giant was harming minors by employing data algorithms focused on increasing activity. As Blumenthal told Protocol, “The Kids Online Safety Act would finally give kids and their parents the tools and safeguards they need to protect against toxic content — and hold Big Tech accountable for deeply dangerous algorithms. Algorithms driven by eyeballs and dollars will no longer hold sway.” The measure also requires these platforms to allow the National Telecommunications and Information Administration to access site data in order to conduct research about the potentially harmful impact of tech on children, a big win for researchers who faced pushback from platforms over data scraping.