Articles

Articles

Presidential campaigns taking email security more seriously–not so much at the local level

Articles, Blog, News
featured image

DMARC now protects the email domains for most U.S. presidential candidates, according to a new report, but local election bodies lag behind and are vulnerable to spoofing.

The 2020 election season got off to what could be a record-setting rocky start with delays in the reporting of the Iowa caucus results due to a poorly developed app. The failure of the mobile IowaReporterApp developed for the Democratic party by a company called Shadow, Inc., followed by revelations that the app was riddled with security errors, fueled further the flames of anxiety about the security of 2020 voting and election systems. (To be clear, the IowaReporterApp was not a mobile voting app but merely a means of collecting and reporting the results of the individual caucuses.)

Against the spectacular failure of the Iowa caucus and as the Democrats head into tomorrow’s New Hampshire primary having ditched the Shadow app, there are some signs that election-related security is otherwise headed in the right direction. For the first time, the 2020 U.S. presidential election hit a milestone because more than half of the candidates for president have domains that are protected from spoofing, according to a just-released study by identity-based anti-phishing company Valimail.

Of the 14 candidates currently in the race (including Donald Trump but excluding Joe Walsh, who dropped out last week), eight are protected by Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies set to enforcement. DMARC is an email authentication, policy and reporting protocol that builds on two other widely deployed email security protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mailprotocols (DKIM), that give domain owners control over who can send as them.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Recent False Claims Act cases a caution to gov’t contractors that skimp on security

Articles, Blog, News
featured image

Two FCA cases unsealed in 2019 show that contractors can face multi-million-dollar penalties if they don’t comply with federal government cybersecurity requirements.

The False Claims Act (FCA), otherwise known as the “Lincoln Law,” can cost companies that supply goods or services to the federal government millions of dollars if they fail to provide the digital security protections they promise, as two recent cases illustrate. In one of the cases, Cisco Systems was forced to pay millions of dollars to the federal and state governments.

First passed in 1863 during the Lincoln Administration, the FCA was aimed at fraudulent contractors who sold bad horses, provisions and munitions to the Union Army. One of the law’s provisions allows for citizen “relators” or whistleblowers to be paid a percentage of what can be recovered from those who are proved to have made false claims to the federal government in the sale of goods or services.

Between the Civil War and the mid-1980s, the FCA was little used until it was given a shot in the arm by Congress in 1986 to deal with rampant problems involving defense contractors. The FCA was revised again by Congress in 2009 and 2010.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

On the 2020 Congressional cybersecurity agenda: Critical infrastructure, copyright exemptions

Articles, Blog, News
featured image

Despite the distraction of an election year, Congress is expected to give the Department of Homeland Security tools to identify critical infrastructure threats and copyright exemptions to security researchers.

Distracted by high-profile developments, gridlocked by partisan resentment, and time-crunched due to the election year, Congress is nevertheless swinging into gear on specific cybersecurity issues, Washington insiders told attendees at Shmoocon 2020 this past weekend. Among the top items that Congress might tackle are new subpoena powers to address critical infrastructure threats, a big-picture policy report, and copyright law exemptions that protect security researchers.

Congressional interest in cybersecurity has escalated over the past decade, the panelists agreed. “Congress members are aware of a challenge. They want to do something to fix it,” Nick Leiserson, legislative director to Congressman Jim Langevin (D-RI), a senior member of the House Armed Services and Homeland Security Committees, said. “There is engagement, and that is very important. That is a change that is not where we were ten years ago when my boss was being looked at [oddly] by his colleagues. You know, they were like, ‘Here’s the tinfoil hat, Jim,'” he said.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

US elections remain vulnerable to attacks, despite security improvements

Articles, Blog, News
featured image

Continued Russian interference, insecure paperless voting processes will sow doubt about the next election.

Days away from the Iowa caucuses, and less than 11 months from the general election, voting and election security continues to be a challenge for the U.S political system. Threats to a secure election appear to loom as large today as they did in 2016, when Russian state-backed hackers and social media trolls threw U.S. political campaign and election efforts into chaos, turmoil that has only become clear after the fact.

Certainly, voting security has made great strides since 2016. State and local governments took advantage of a funding boost under the Help America Vote Act to improve their infrastructure and better coordinate among themselves to harden election systems. Congress allocated an additional $425 million as part of a spending compromise that was passed and enacted in late-December, giving election officials even more latitude to make improvements.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

2020 outlook for cybersecurity legislation

Articles, Blog, News
featured image

Here’s a rundown of all the security-related bills working their way through this year’s U.S. Congress, plus some hot security topics likely to be debated.

As the partisan divide in Washington widens during this 116th Congress, the prospects of enacting any meaningful legislation that bolsters the nation’s cybersecurity seem, at first blush, dim. Of the nearly 300 pieces of legislation that touch on some aspect of cybersecurity, or more urgently, election security, introduced since the current Congress began last year, only nine have become law. Most were budget-related measures that appropriated or increased funds for federal agencies to spend on cybersecurity or election security as part of the fiscal 2020 spending deal passed in December.

Now, roughly halfway through the current Congress, it’s time to take stock and review where things stand in the legislative arena. A number of bills have been passed by either the House or the Senate and are awaiting further action. They are worth watching in 2020 because they have progressed the farthest and arguably might come closest to gaining some momentum toward passage.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

High-profile departures widen federal government’s security talent shortage

Articles, Blog, News
featured image

Recent key departures–voluntary and forced–might make it harder for government agencies to find the talent needed to fulfill their security missions.

Respected and influential government cybersecurity veteran Jeanette Manfra announced this month that she is leaving her position at DHS to join Google as its global director of security and compliance as part of a new security team at Google Cloud. At Google, Manfra, who currently holds the title of Assistant Director for Cybersecurity for the Office of Cybersecurity and Communications at DHS’ Cybersecurity and Infrastructure Security Agency, will spearhead an “Office of the CISO” initiative at Google Cloud to help customers improve their security postures.

Manfra’s departure is just the latest in a string of high-profile departures from the ranks of well-regarded cybersecurity experts from the federal government. Google recruited at least two other prominent government cybersecurity officials to join its ranks. Kate Charlet, who served as acting Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense, left in 2017 and is now Director of Data Governance at Google. Daniel Pietro, who was Director for Cybersecurity Policy on the staff of the National Security Council, left his role in 2017 to work at Google as an executive for Public Sector Cloud at Google.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

The race for quantum-proof cryptography

Articles, Blog, News
featured image

Lawmakers briefed on quantum computing’s threat to encryption and the urgent need for mathematical research

One of the biggest threats to privacy and national security is the ability of the immensely powerful quantum computers to break prevailing methods of encryption almost instantaneously. Once quantum computers become a reality, something that could conceivably happen in the next decade or two, all of the data protected by encrypted systems on the internet will become decrypted and unprotected, accessible to all individuals, organizations or nation-states.

Dr. Jill Pipher, President of the American Mathematical Society, VP for Research, and Elisha Benjamin Andrews Professor of Mathematics at Brown University led a briefing last week for lawmakers on Capitol Hill called “No Longer Secure: Cryptography in the Quantum Era” about the threats that quantum computing poses to existing cryptographic systems that support national and economic security. Senator Jack Reed (D-RI) began the briefing by saying “we’re acutely aware of the potential advantages and disadvantages that quantum presents. And we’re also very concerned that some of our adversaries and competitors are investing a great deal in quantum computing.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

CrowdStrike, Ukraine, and the DNC server: Timeline and facts

Articles, Blog, News
featured image

Politicizing cybersecurity only serves to undermine trust in its practices and objectivity, experts fear.

President Donald Trump, Senator John Kennedy from Louisiana and Secretary of State Mike Pompeo have all given credence to what cybersecurity experts and the US intelligence community deride as a baseless conspiracy theory pushed by Russia. That theory posits that Ukraine, and not Russia, was responsible for hacking into the networks of the Democratic National Committee (DNC) in the run-up to the 2016 presidential election.

Kennedy quickly backtracked from blaming Ukraine for the DNC hack, but nonetheless left wiggle room to return to this contention. After admitting he was “wrong” to imply Ukraine and not Russia hacked the DNC, he went on to say, “There is a lot of evidence, proven and unproven — everyone’s got an opinion — that Ukraine did try to interfere, along with Russia and probably others, in the 2016 election.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Global threat groups pose new political and economic dangers

Articles, Blog, News
featured image

Nation-state players in Iran, North Korea, Saudi Arabia and Russia are getting new objectives and changing strategies, say experts.

While widely known advanced persistent threat (APT) groups emanating from Russia and China grab most of the spotlight, an array of other nation-state and adjacent threat actors are increasingly launching cyberattacks around the globe. At this year’s Cyberwarcon conference, nearly 20 of the world’s top cybersecurity researchers presented their thoughts on these less visible and complex groups, outlining their latest strategies and developments.

Iran, which is rapidly emerging as one of the most destructive of the nation-state cyberwarfare actors, has a threat group known as APT33, one of the country’s most malicious cyber actors. APT33 has targeted aerospace, defense, and energy organizations. For the most part, the group is regionally focused, targeting Saudi-owned and -operated entities, according to Saher Naumaan, a threat intelligence analyst at BAE Systems Applied Intelligence.

APT33, also called Refined Kitten, Magnallium, Holmium and Alibaba, has been around since 2014 and is best known for its data wiping malware called Shamoon, which erased at least 30,000 computers belonging to Saudi Aramco in 2012. Since then, APT33 has been implicated in campaigns against industrial players in the Middle East and Europe.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

A new era of cyber warfare: Russia’s Sandworm shows “we are all Ukraine” on the internet

Articles, Blog, News
featured image

In-depth research on Russia’s Sandworm hacking group shows broad capabilities and scope to disrupt anything from critical infrastructure to political campaigns in any part of the world.

Speakers at this year’s CyberwarCon conference dissected a new era of cyber warfare, as nation-state actors turn to a host of new advanced persistent threat (APT) strategies, tools and tactics to attack adversaries and spy on domestic dissidents and rivals. The highest profile example of this new era of nation-state digital warfare is a Russian military intelligence group called Sandworm, a mysterious hacking initiative about which little has been known until recently. The group has nevertheless launched some of the most destructive cyberattacks in history.

Wired journalist Andy Greenberg has just released a high-profile book about the group, which he said at the conference is an account of the first full-blown cyberwar led by these Russian attackers. He kicked off the event with a deep dive into Sandworm, providing an overview of the mostly human experiences of the group’s malicious efforts.

Sandworm first emerged in early 2014 with an attack on the Ukrainian electric grid that “was a kind of actual cyberwar in progress,” Greenberg said. The grid operators in Ukraine watched helplessly as “phantom mouse attacks” appeared on their screens while Sandworm locked them out of their systems, turned off the back up power to their control rooms, and then turned off electricity to a quarter-million Ukrainian civilians, the first ever blackout triggered by hackers.

[This article appeared in CSO Online. To read the rest of the article please visit here.]