At a glance.
- New UK data transfer rules now in effect.
- Commercial satellite companies seek government cybersecurity aid.
- US President urges private sector to prepare for Russian cyber warfare.
New UK data transfer rules now in effect.
Two recently approved data transfer tools, the UK International Data Transfer Agreement (IDTA), and the UK Addendum to the 2021 European Commission-approved standard contractual clauses, are now officially in effect in the UK. cyber/data/privacy insights provides a timeline of important deadlines related to the implementation of the new tools. After September 21, all new contracts must utilize the new tools, but standing contracts have until March 2024 to make the transition.
Commercial satellite companies seek government cybersecurity aid.
Breaking Defense reports that US commercial remote satellite firms supplying US intelligence agencies and military with tactical intelligence, surveillance and reconnaissance (ISR) have become increasingly aware they might be targeted by Russian cyberaggression. Last month US officials warned Russia might attempt to attack satellites providing images of Moscow’s ongoing invasion of Ukraine, and industry representatives say they are seeking guidance from government leaders on how to prepare for and respond to future cyberincidents. “It’s definitely something that our leadership team in our interactions with stakeholders are actively discussing,” said Tony Frazier, executive vice president for global field operations at Maxar Technologies, at the Satellite 2022 conference yesterday. Maxar is one of several firms that provide electro-optical imagery and associated analytical products to the National Reconnaissance Office (NRO). There is currently no formal process for reporting cyberincidents in this industry, but Frazier went on to say there are ongoing discussions regarding how the government can protect these commercial operators, perhaps borrowing models from other industries like the Civil Reserve Air Fleet.
US President urges private sector to prepare for Russian cyber warfare.
The White House yesterday released a statement warning of the threat of malicious cyberactivity from Russia and encouraging the private sector, which supports much of the nation’s critical infrastructure, to bolster their cybersecurity. While the administration has previously expressed concerns about the potential for Russian cyber aggression as a result of the invasion of Ukraine, US President Joe Biden explains that there is now intel indicating that Russia has begun exploring options for attack. “If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year,” President Biden states. A supplemental fact sheet outlines the steps the Biden-Harris administration has taken so far in its quest to harden the country’s cyberdefenses, such as Biden’s executive order on updating federal government systems, and the Cybersecurity and Infrastructure Security Agency’s (CISA) Shields-Up campaign. The President goes on to recommend steps companies should take immediately to defend themselves, including requiring multi-factor authentication, creating offline backups of important data, and training employees on tactics commonly used by cybercriminals. CISA director Jen Easterly issued a response, stating, “As the nation’s cyber defense agency, CISA has been actively working with critical infrastructure entities to rapidly share information and mitigation guidance that will help them protect their systems. We will continue working closely with our federal and industry partners to monitor the threat environment 24/7 and we stand ready to help organizations respond to and recover from cyberattacks.”
Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks, commented:
"Companies often focus risk mitigation on people, technologies, and processes in isolation, where threat actors exploit the transaction and interactions of information, data, credentials, and privileges to impact the integrity of operations. Specific medium-term measures include an immediate review of security policies – what needs more robust protection, to identify gaps where policy may be ignored or not enforced, and to back up data in a secondary place not attached to operational, real-time networks and operations.
"Today it’s important to address risks, vulnerabilities, and best practices we are already aware of if a company has not already done so. Preparing for and identifying evolving threat actors, tactics, and new exploits is also top of mind. Both steps will reduce an organization’s risk profile, but these are dynamic and incremental security processes, not “one and done” static activities or line items.
"Reducing the likelihood that these threat actors will be able to execute their plans in your organization is the best way to prepare, while maintaining an incident response plan in case any component of your plan does fail.
Mike Hamilton, former CISO for the City of Seattle; former Vice-Chair for the DHS State, Local, Tribal and Territorial Government Coordinating Council (SLTTGCC); and currently CISO of Critical Insight formerly known as CI Security, commented:
"The language in the announcement by the White House is beginning to edge up on ‘specific and credible’ threats, although it involves “evolving intelligence”. Notably, prior to the issues in Ukraine the Administration was prepared to call China our number one cyber threat. While true that China attacks the US using cyber methods more than every other country combined, espionage is not war.
"Part of this may be driven by the pretext that has been provided by an army of volunteers. After Anonymous has gone after pipelines, the Russian space agency, electric vehicle charging stations, broadcast television, and unsecured printers it is credible to claim that this is an aggressive action by the United States and retaliation may be under consideration."
James McQuiggan, security awareness advocate at KnowBe4, stated:
“When the pandemic hit in 2020, organizations and their InfoSec & IT departments scrambled to get people to work from home to reduce the risk of infection caused by the Coronavirus. Budgets approved, products installed, and users were working from home within days to weeks versus the expected months to years.
"With the recent cyber-attacks between Russia and Ukraine and the current intelligence coming from the US Government, organizations want to shore up their defenses to reduce the risk of a successful attack by any nation-state. Considering the target is towards the US-defined critical infrastructure, organizations must implement the various safety requirements to protect their data and systems.
"However, the mitigating threat tactics put forth by CISA's "Shields Up" will require boards to approve and fast-track spending for products and services not already implemented.
"Some of the items that are the quickest return on investment and implementation time would be reviewing incident plans and recovery strategies in the event of an attack. Review and mitigate risks to external facing systems and verify they are fully patched and current on all security updates.
"The most impactful will be to ensure employees receive education, are aware of the latest attack methods, and are vigilant on all unexpected emails that require any urgency for action.”
Erich Kron, security awareness advocate at KnowBe4, added:
“Tools like Slack offer a quick way for people to connect and collaborate, however there can be technical and non-technical concerns with these platforms. Because many people may already be using platforms like Slack for other personal interactions, they may be tempted to use their personal accounts to communicate with coworkers about business matters, a problem that could become a headache pretty quickly in the event of legal action. For organizations planning on using these collaboration tools, it would be wise to look into the business focused versions of the platforms which typically provide more security and control than the free personal versions used by many. The ability to control who is allowed to be included in these discussions, and potentially being able to control attachments and other features that could put organizational data at risk, could certainly be worth the additional cost over free versions.
"Employees should be told what is and is not acceptable when using these platforms, and that needs to be backed up by a well-written policy that explains the acceptable use of the tool and the limitations. Because many people may already use these platforms in a personal setting and are comfortable with them, making sure expectations are managed, especially with respect to professional communication standards, is critical.
"Through these platforms, organizational data may end up on personal mobile devices as well, so the security of the devices should also be stressed to employees and their responsibilities with respect to protecting this data clearly defined.
"Given the popularity of these platforms in personal and work environments, policies and training around these cannot be ignored, and organizations that attempt to ban their use, might find that employees go outside what could better be controlled and monitored through a business account. Decisions on dealing with this new form of communication must be carefully considered with input from legal counsel.”
Mark Carrigan, SVP of Process Safety and OT Cybersecurity at Hexagon PPM, stated:
"We applaud the Biden Administration’s announcement that credible intelligence indicates Russia may be exploring options for potential cyber-attacks. Our government must continue communicating this type of information so industry can take steps to heighten security awareness and take action to reduce security risks. The announcement contains many practical steps organizations should follow to improve security, but there is one recommendation that taken too extreme actually poses a threat to our critical infrastructure.
"As stated, '…make sure that your systems are patched and protected against all known vulnerabilities…' is not realistic for Operational Technology (OT) that enables our electric, water and pipeline sectors. Many of these patches are not compatible with the underlying OT infrastructure, and if implemented, could actually cause OT systems to fail. We suggest that this recommendation be tempered to recognize the technical limitations that exist on the vast majority of OT networks."
Karthik Kannan, Founder and CEO of Anvilogic – an AI-Driven, automated Threat Detection and Incident Response (TDIR) platform – and former Head of Security Analytics at Splunk, commented:
“The implication of the new Ukraine-Russia advisory from the White House is three-fold: 1) immediate, tactical low-hanging fruit initiatives such as multi-factor authentication, DR/backup practices, regular patching for vulnerabilities, etc. which every enterprise MUST do, 2) continuous investment in threat detection – simple & sophisticated – to detect adversary patterns, understand & implement effective mitigation procedures, which every enterprise MUST start developing capabilities for, or extend capabilities further, and 3) awareness amongst developers that they must think security in their daily development processes, including strong code with deliberate usage of components (supply chain, bill-of-materials), etc. resulting in stronger & resilient applications that are harder to breach. Further, enterprises must collaborate with the industry – other peer enterprises as well as government agencies – to learn more about threats as well as share best detection/response/mitigation practices that are working for them. We are fighting common enemies and together we stand stronger."
Danny Lopez, CEO of Glasswall, noted:
“Putin is playing a long game. War is costly both in terms of human and economic terms. If we see a de-escalation of the situation on the ground, we are likely to see an escalation of cyber warfare.
"The majority of US businesses are not prepared for the veracity of cyber warfare that would be unleashed if Putin decided to step up cyber attacks. US infrastructure, banks, travel and power networks are all extremely vulnerable.
"Anti-virus software and firewalls only protect against known threats. The real risk to the US is what we call Zero-Day threats. These are new unknown threats. There are no patches for them and they wreak havoc within hours, whilst the security services and technology industry tries to catch up. These are extremely dangerous to governments as well as businesses.
"Organisations can protect themselves against this with a Content Disarm and Reconstruction approach. However, although proven in the intelligence space, it is a relatively new technology in the commercial world and not yet widespread, leaving the majority of firms at risk of disablement.”
Arti Raman, CEO and founder of Titaniam, stated:
“This latest warning from the Biden administration is not a surprise following strict sanctions imposed by the U.S. on Russia and the country’s ongoing interest in American intelligence gathering. The administration’s advice encourages organizations to prepare for an onslaught of attacks by mandating the use of multi-factor authentication, backups and data encryption, which we completely support.
"However, it’s a matter of when not if cyber adversaries will break into an organization’s systems, even with these tools in place. With Russian nation-state actors targeting government organizations, contractors and enterprises in highly regulated industries that house highly sensitive information, the right encryption technology could be the make or break factor in that data being compromised.
"Often, organizations rely on data-in-rest encryption as their last line of defense. Unfortunately, if the file or information is being worked on, or is accessed using privileged credentials, this protection is rendered useless, and hackers can still steal the underlying data. We recommend U.S. businesses and government agencies consider data-in-use encryption instead, which keeps the data and IP encrypted and protected even when it is being actively utilized, neutralizing all possible data-related leverage and limiting the need for breach disclosure.”