At a glance.
- Notes on CMMC 2.0.
- An EU cyber emergency fund?
- Most geofencing ruled unconstitutional in the US.
- FBI warns of government impersonation.
- Reaction to the Strengthening American Cybersecurity Act of 2022.
What to expect from CMMC 2.0.
The US Department of Defense (DoD) has announced it will be releasing a new version of its Cybersecurity Maturity Model Certification (CMMC), a guide intended to regulate the control of unclassified information and high-value assets by government contractors and subcontractors. HelpNetSecurity offers an overview of what changes to expect. Critics have argued that the stringent requirements of the CMMC are nearly impossible for smaller firms to implement, leaving them unable to compete with larger firms for contracts. One much-criticized stipulation required all DoD contractors and subcontractors to conduct costly third-party assessments of their cybersecurity procedures, regardless of their role or the sensitivity of the data being handled. CMMC 2.0 is expected to be a more streamlined version of its predecessor, simplifying the certification process and cutting down on security regulations for contractors who handle less sensitive data.
EU ministers request cybersecurity emergency response fund.
In response to Russia’s invasion on Ukraine, EU telecoms ministers are urging the European Commission to establish a cybersecurity emergency response fund to help fight large-scale cyberattacks. A draft document penned by the ministers states, “The current geopolitical landscape and its impacts in cyberspace strengthen the need for the EU to fully prepare to face large-scale cyberattacks. Such a fund will directly contribute to this objective.” Reuters reports that the ministers, one from each of the twenty-seven countries of the EU, are also requesting improved more regulations to secure digital infrastructure and to encourage input from the public sector. The ministers are set to meet in Nevers, France this week to discuss the document.
Ruling determines most geofencing unconstitutional.
A US federal judge has determined that police violated the Constitution by accessing the location data of Google users near a 2019 bank robbery. Legal experts say the ruling is unprecedented in that it condemns the use of geofencing, a controversial investigative technique that has grown in popularity among law enforcement agencies in recent years. The Wall Street Journal reports that Judge M. Hannah Lauck of the US District Court for the Eastern District of Virginia deemed the officers’ geofence warrant an “unreasonable search” as defined by the Fourth Amendment, which protects against collecting info on individuals without probable suspicion. Lauck also called for legislation to limit such data collection by tech giants like Google’s Alphabet, Inc, stating, “Until recently, the ease with which law enforcement could access such precise and essentially real-time location data was unimaginable.” Privacy advocates have opposed geofencing, concerned that such warrants could allow for indiscriminate surveillance of innocent people. Albert Fox Cahn, executive director of nonprofit advocacy group the Surveillance Technology Oversight Project, explained, “While the court stopped short of saying all of them are unconstitutional as a practical matter, this reasoning would outlaw the vast majority of geofence warrants.”
FBI warns of scammers impersonating government and law enforcement officials.
The US Federal Bureau of Investigation issued an alert this week warning of an increase in fraud operations in which scammers are posing as police or government officials. Spoofing legitimate phone numbers and names, they attempt to convince the target they’ll be arrested or penalized unless an immediate payment is handed over. Scenarios include telling the victim their identity has been used in a crime, claiming the target missed jury duty, or telling medical practitioners their license is in danger of being revoked. The alert urges the public to remember that the government would never request a payment over the phone. “Any legitimate investigation or legal action will be done in person or by official letter. Always ask for credentials to validate identity,” the warning states.
Erich Kron, security awareness advocate at KnowBe4 commented on the latest scam, and why impersonating government officials is so attractive to criminals. Knowing how government agencies actually work can help keep users from becoming victims:
“Leveraging the authority of government and law enforcement officials is a very effective tool in the scammer's book of tricks. Social engineering and scams often rely on eliciting a strong emotional response from victims, causing them to miss or ignore red flags that could otherwise help them avoid falling for the scam. Few government agencies cause as much fear as the IRS, as they have broad law enforcement powers and people are often confused by the U.S. tax system, making them more prone to believe they made a mistake and must correct it. U.S. government entities such as the Social Security Administration, are the primary source of income for many older Americans, making a threat to income a very stressful ordeal, and making them prone to fall for related scams.
"Whenever receiving a text message, phone call or email that elicits a strong emotional response, the best thing a person can do is to take a deep breath and treat it very suspiciously. Most government agencies will not communicate via email or a phone call, especially when initially informing a person of an issue. These initial communications should come through the regular mail, so any other method should be taken with a grain of salt. If there is an issue, contacting the organizations through the published phone number on their .gov website will get individuals to people who can confirm if there is or is not an issue.
"Government agencies will never ask for payment through gift cards or cryptocurrency. These agencies will have accepted forms of payment for any amounts that are due, published on their websites.”
Strengthening American Cybersecurity Act.
The Senate's passage of the Strengthening American Cybersecurity Act of 2022 continues to attract comment. Charles Horton, COO of NetSPI, see an upside in the encouragement given to information-sharing, but a possible downside in exposure to litigation:
"The passing of the Strengthening American Cybersecurity Act showcases that rapid centralized aggregation and dissemination of real-time attack data is crucial in order to better protect networks in both the private and public sectors. Especially as ransomware groups and attack methods mature and become more frequent.
"This Act provides a foundation for both public and private sectors to create larger scale defenses against attacks, which will minimize impact in the long term. It is also especially prominent given the current situation in Ukraine, which has heightened the urgency to address cybersecurity concerns as the threat of ransomware attacks takes center stage.
"The quality and timeliness of information collected, and the corresponding reporting processes, will determine the success of this new legislation. Given these events are often underreported, these new reporting protocols will better determine the size and scope of the attacks. And the reporting of payments will provide more actionable insight as a result of collecting that information at scale.
"One potential downside of the Act is that it will open up companies to risk of litigation and could trigger significant reputational and financial penalties for them as these attacks are made public. This risk is currently a deterrent for organizations reporting attacks more openly today. That said, one way to help mitigate this risk is for the public sector to provide a backstop for cyber insurance, which is on an astronomical rise.
"The Strengthening American Cybersecurity Act’s passing is a true acknowledgment from the public sector that the frequency and severity of ransomware attacks cannot go unresolved. Now, the onus is on both public and private organizations to uphold its principles as these incidents take place – regardless of the size or scale of the attack."