At a glance.
- Nakasone testifies in support of NSA-Cybercom dual-hatting.
- The art of negotiation.
- NIST renews partnership with National Cybersecurity Center of Excellence.
- TSA issues new airport cybersecurity rules.
Nakasone testifies in support of NSA-Cybercom dual-hat partnership.
Since 2010 US Cyber Command (Cybercom) and the National Security Agency (NSA) have operated in a symbiotic relationship under one leader: four-star General Paul Nakasone. Nakasone on Tuesday submitted a written testimony to the Senate Armed Services Committee detailing the virtues of the dual-hat arrangement. In recent years some experts have expressed concerns that the partnership could be a drain on NSA resources, but the Record by Recorded Future explains that a recent report drafted by a group of lawmakers led by former chairman of the Joint Chiefs of Staff Joseph F. Dunford Jr stated that the alliance was a net positive for both groups. Nakasone quoted the report in his testimony, stating there are “substantial benefits that present compelling evidence for retaining the existing structure.” He also noted that Cybercom and NSA have collaborated on important missions like defending US elections from foreign meddling and combating ransomware. “Success in protecting the national security of the United States in cyberspace would be more costly and less decisive with two separate organizations under two separate leaders,” Nakasone’s testimony continued. “The enduring relationship is vital for both organizations to meet the strategic challenges of our adversaries as they mature their capabilities against the United States.”
The art of negotiation.
Channel News Asia takes a look at the complicated world of ransomware negotiation. As ransomware attacks increase, more and more entities find themselves facing a difficult question: to pay or not to pay? The general consensus is that payment is never a good idea, given that cybercriminals cannot be trusted to keep their word, and that giving in sets a dangerous precedent. Some nations like Australia have recently considered banning ransom payments altogether, but such a ban becomes more complex when the victim is a multinational company that does business in a country where payment is not prohibited. Taking a slightly different approach, Singapore’s Counter Ransomware Task Force recently recommended that it be made mandatory for companies to report ransomware payments.
Regardless, it’s advised that victims negotiate with their attackers, even if there is no intent to pay, in order to learn more about the threat actors, the nature of the attack, and what data is at stake. Sussing out the attackers’ motives can help negotiators determine the best plan of action in order to limit damage and protect their data. Negotiation can be a delicate and dangerous process, so enlisting the help of a professional negotiator can be beneficial.
NIST renews partnership with National Cybersecurity Center of Excellence.
On Tuesday the US National Institute of Standards and Technology (NIST) extended its partnerships with the state of Maryland and Montgomery County, Maryland that support the National Cybersecurity Center of Excellence (NCCoE), Nextgov reports. Established in 2012, the NCCoE is described as “collaborative hub where industry, government and academic experts work together to solve pressing cybersecurity challenges,” and the renewal includes the launch of the Small Business Cybersecurity Community of Interest to better support the cybersecurity needs of smaller enterprises. US Deputy Secretary of Commerce Don Graves stated, “This initiative will help to make sure that NIST’s guidance is both meaningful and practical for smaller companies and other organizations to put into use. Beyond benefiting the NCCoE and its participants, this new community of interest promises to improve the return on all of NIST’s investments in cybersecurity research, standards, guidelines and practices.”
TSA issues new airport cybersecurity rules.
On the heels of the US Environmental Protection Agency issuing new cybersecurity rules for the water sector last week, the Transportation Security Administration (TSA) yesterday released new cybersecurity measures for the nation’s largest airport and aircraft operators. TSA Administrator David Pekoske stated that “[p]rotecting our nation’s transportation system is our highest priority,” and the new rules extend existing TSA authorities to cover eighty airports, twenty-one passenger airlines, and four cargo lines. The covered entities will be required to develop TSA-approved security plans that include mitigation measures like patching and continuous threat monitoring. So far industry insiders have expressed little opinion about the rules themselves, stating only that they will do what it takes to maintain compliance. When asked for comment, George Novak, CEO of the National Air Carrier Association (NACA), told the Washington Post, “NACA and its member airlines are working closely with our government colleagues, along with representatives from airports and other industry partners to increase our vigilance toward these threats …TSA has worked aggressively to protect our nation's critical transportation infrastructure, and we appreciate their leadership and responsiveness in working with industry to develop effective countermeasures.” It’s worth noting that the TSA’s new rules follow the Biden administration’s release of its long-awaited national cybersecurity strategy, which highlighted the need to defend the nation's critical infrastructure systems.
(Added, 11:15 PM ET, March 8th, 2023. From Duncan Greatwood, CEO, Xage Security, approved of the new regulations:
“It is encouraging to see the U.S. government following through with President Biden's cybersecurity policy announcement to provide industry-specific cyber-hardening requirements.
"There is a precedent for TSA directives leading to improved cyber security outcomes. From our close working relationships with organizations across the various TSA-regulated industries, we at Xage have firsthand knowledge that TSA security directives like those put forth for oil & gas have led to operators taking action to improve their cyber hardening and to achieve TSA compliance.
"From oil & gas to railways, TSA has taken a similar approach whereby they release industry-specific mandates, now extending that to the aviation sector. Importantly, TSA is using their regulatory authority to issue mandatory cybersecurity performance requirements, rather than simply issuing advice and guidance. I am not surprised by this move given the ongoing risks our transportation sector is facing from cyberattacks.
"I notice similarities in the TSA’s required security measures for oil & gas, railways and now aviation. TSA is stressing the importance of improving access control measures, multi-factor authentication, and security segmentation as key requirements to improve cybersecurity posture and to prevent attacks.”)
(Added, 9:30 PM ET, March 10th, 2023. Sal Morlando, Senior Director of Products at OPSWAT, wrote to offer a perspective from the infrastructure perspective sector:
“Within the TSA emergency amendment are four actions aviation operators must take in order to mitigate cybersecurity threats: network segmentation, creation of access control measures, implementation of continuous monitoring and detection, and reduction of risk of exploited unpatched systems.
"In accordance with cybersecurity best practices established by NIST and CISA, using one-way gateways or data diodes to segment networks where possible is preferred. One-way data transfers via unidirectional security gateways or data diodes are an effective way to isolate OT/ICS assets and protect against threats that originate with IT. Further, continuous monitoring and detection of OT assets through visibility solutions enable operators to not only see what is connected to their networks but also be alerted should nefarious activity occur. Thirdly, simply installing security patches and updates is not enough to ensure cybersecurity. Operators must also take steps to ensure that their systems are properly configured and secured. Investment in zero-trust network access solutions would allow operators to secure cloud, remote and on-prem access, gain instant visibility into who is connected to the network, detect vulnerabilities and deploy automated patches, and enforce endpoint compliance and updates when necessary.
"Since the National Cybersecurity Strategy was published last week, we’ve seen EPA release their recommendations for Water and Wastewater Systems and now TSA’s actions for aviation – all within a few days of each other. We’ll likely see other critical industries do the same, with zero-trust prevention-based recommendations at their core.”
We also heard from Danielle Jablanski, Atlantic Council Member and ICS/OT Cybersecurity Strategist at Nozomi Networks. "The new requirements are in line with what we consider industry best practice for prevention, including review of existing access controls, understanding all components operating and their access points, mapping product vulnerabilities and scanning networks for known indicators of compromise," she wrote. "Cybersecurity conversations are stuck in a limited cycle of equip, buy a product, run a table-top exercise, and check compliance boxes – often skipping key steps for organization, failing to exercise function-specific responsibilities, and almost never exercising to failure like a real emergency might require. The TSA guidance for the airline industry is working to clear these hurdles, introducing new training offerings and expanding the understanding for why segmentation and detection are important components for avoiding worst case cyber scenarios Learning from other major attacks, the weakest link in an organization may be a compromised cyber-physical system, broad access to a component of operations that enables remote access or unnecessary internet connectivity, or an IT system critical for business operations.")