Data security risks threaten approval of Chinese undersea cable plan

Articles, Blog, China, Cyber Security, cybersecurity, FCC, Law, News, Team Telecom
featured image

The US government’s “Team Telecom” wants to partially deny a proposed undersea cable connection between the US and Hong Kong over surveillance, data theft concerns.

On June 17, the intergovernmental group known as Team Telecom filed on behalf of the Executive Branch a recommendation to the Federal Communications Commission (FCC) to partially deny an undersea cable system application by a Chinese company called Pacific Light Cable Network (PLCN). Team Telecom (recently renamed as the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector) consists of the Department of Homeland Security )DOH) and the Department of Defense (DOD) led by the Department of Justice’s National Security Division, Foreign Investment Review Section. In its filing Team Telecom specifically urged the commission to reject that part of the application that involves a direct connection between the US and Hong Kong.

The rationale for the recommended rejection echoes similar recent moves by the Trump Administration to push Chinese technology out of the US telecommunications system and power grid supply chains. The White House, along with Team Telecom, has stepped up its arguments that China poses a digital and technology security threat, a contention that is occurring against a backdrop of soured trade negotiations and a politically deteriorating relationship between the US and China.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Revised DOJ compliance guidance offers risk-management lessons for cybersecurity leaders

Articles, Blog, Cyber Security, cybersecurity, Law, News
featured image

Prosecutors use this guidance to assess criminal liability in a compliance breach, so it behooves business and security leaders to understand the expectations.

In February 2017, the Criminal Division of the US Justice Department (DOJ) issued its first-ever guidance for prosecutors of white-collar crime to use when assessing whether a company complied with its own risk management program. The document urged prosecutors to consider whether a company’s compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” That guidance was updated in April 2019 into a formal document called “The Evaluation of Corporate Compliance Programs.”

Both documents aim to give prosecutors criteria to consider when bringing criminal charges. The three fundamental questions prosecutors are urged to answer when assessing whether the compliance programs are helping to “promote corporate behaviors that benefit the American public” are:

  1. Is the program well-designed?
  2. Is the program effectively implemented?
  3. Does the compliance program work in practice?

On June 1, the DOJ issued yet another update to its compliance guidance, this time weaving in new language to make sure compliance programs aren’t merely one-and-done snapshots, but are instead dynamic programs that get updated to fit changing circumstances. The new guidance also asks prosecutors to make sure compliance programs are adequately resourced within organizations.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Senate subcommittee blasts FCC and Team Telecom approach to Chinese supply chain threats

Articles, Blog, China, Congress, Cyber Security, cybersecurity, Cybersecurity Legislation, News
featured image

A report claims that oversight of Chinese telecoms for security threats to the US communications supply chain is lacking and without adequate authority.

The Senate Permanent Subcommittee on Investigations released on Tuesday a report, “Threats to US Networks: Oversight of Chinese Government-owned Carriers.” The document slams the current government review process that oversees how Chinese telecom companies operate in the United States for not rigorously monitoring Chinese tech providers. It outlines a Senate investigation that began shortly after the Federal Communications Commission (FCC) in May 2019 denied a China Mobile USA application to provide international telecom services.

The subcommittee said it reviewed more than 6,400 pages of documents and conducted more than ten interviews, including interviews with representatives from the FCC, Department of Justice (DOJ), Department of Homeland Security (DHS), China Telecom Americas, China Unicom Americas, ComNet, AT&T, Verizon and CenturyLink. The subcommittee also said it met with researchers who analyzed the Chinese government’s use of telecommunications carriers to hijack communications.

The subcommittee’s investigation found that the FCC and “Team Telecom,” a formerly informal group composed of representatives from the DOJ, DHS and Department of Defense, have failed to adequately monitor three Chinese government-owned carriers, China Telecom Americas, China Unicom Americas, and ComNet since they began operating in the United States in the early 2000s.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

New cybersecurity recommendations for US government target IoT, social media

Articles, Blog, Congress, Cyber Security, cybersecurity, Cybersecurity Legislation, Cyberspace Solarium Commission, News
featured image

The COVID-19 pandemic spurs the Cyberspace Solarium Commission policy initiative to issue a set of four security recommendations for the federal government in the wake of the crisis.

The Cyberspace Solarium Commission is a unique policy initiative created in 2019 to cut through the complexity of the vast and dense cybersecurity challenges facing the country. It is composed of lawmakers and government officials from across several agencies who, working with outside experts, are devising “a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.” The high-profile focal point group came out this spring with an ambitious report that offered 75 recommendations to keep the country safe from digital threats.

Last week, the commission took its prerogative one step further. It came out with its first white paper, Lessons from the Pandemic, a timely document articulating the changes the COVID-19 crisis creates for cybersecurity. The pandemic “illustrates the challenges of ensuring resilience and continuity in a connected world,” co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), wrote in their executive summary of the white paper.

The white paper contains observations about the parallel connections between cybersecurity and the pandemic. It stresses 32 of the commission’s original recommendations, which King and Gallagher said have attained “renewed importance” in light of the coronavirus crisis.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Cyber LEAP Act aims for innovations through Cybersecurity Grand Challenges

Articles, Blog, Cyber Security, cyber warfare, cybersecurity, Cybersecurity Legislation, DARPA, News
featured image

New bill seeks to set up competitions across the US to spur security breakthroughs.

The Senate Commerce Committee approved last week what could prove to be an essential piece of legislation for cybersecurity researchers: The Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems, or Cyber LEAP Act of 2020. Sponsored by Commerce Committee Chairman Roger Wicker (R-MS) and Senators Cory Gardner (R-CO) and Jacky Rosen (D-NV), the bill establishes a national series of Cybersecurity Grand Challenges so that the country can “achieve high-priority breakthroughs in cybersecurity by 2028.”

The challenges set up under the legislation will offer prizes, including cash and non-cash prizes, to competition winners, although the prizes aren’t yet spelled out. The legislation directs the secretary of commerce to set up the competitions in six key areas:

Economics of a cyber attack, focused on building more resilient systems while raising the costs for adversaries
Cyber training, to give Americans digital security literacy and boost the skills of the cyber workforce
Emerging technology, to advance cybersecurity knowledge in emerging technologies such as artificial intelligence
Reimagining digital identity, aimed at protecting the digital identities of US internet users
Federal agency resilience, to reduce cybersecurity risks to federal networks and improve the federal response to cyberattacks
Other challenges as determined by the secretary of commerce

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Executive order boots “foreign adversaries” from US electric grid over security concerns

Articles, Blog, Critical Infrastructure, News
featured image

White House action implies that China is “creating and exploiting” vulnerabilities in the US power grid. Experts say hardware backdoors have the potential for doing significant damage.

On May 1, the Trump Administration issued an Executive Order on Securing the United States Bulk-Power System. According to the order, the administration found that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life.”

The executive order (EO), which also encompasses “malicious cyber activities,” determines “that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” It declares “a national emergency with respect to the threat to the United States bulk-power system” and prohibits the purchase or installation of specific equipment from foreign adversaries.

The prohibition applies to only a specified list of electrical equipment that poses an undue risk of sabotage or subversion of the equipment’s design, or poses a national emergency with respect to the threat to the United States bulk-power system or otherwise poses an unacceptable risk to the national security of the US or the security and safety of US persons. The order requires the energy secretary to work with other agencies “to identify bulk-power system electric equipment that poses the types of risks associated with prohibited transactions” and to adopt rules and regulations to implement the order within 150 days.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

4 critical issues surrounding contact-tracing apps

Articles, Blog, News
featured image

As countries rush to release contact-tracing apps, experts fear a lack of security and privacy controls.

Researchers, governments and tech companies around the world are racing to create mobile apps to track coronavirus exposure. Potentially dozens of these contact-tracing apps are under development or being debated across the countries of the world.

These apps typically follow either a centralized or decentralized approach, roughly corresponding to the level of government control over the apps and the different kinds of technology deployed on mobile phones.

Decentralized apps are best known by the joint Google and Apple API (sometimes referred to as “Gapple”) under development in the US, which will allow health agencies to develop their own apps. Another prominent model for decentralization is the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol, which European countries including Germany, Austria, Switzerland, Lithuania, Estonia, Finland and Ireland are developing.

The centralized apps are best illustrated by the UK’s contact-tracing app developed by the National Health Services (NHS) technology group NHSX (although a recent report says the UK is considering using the Apple-Google model). Australia’s COVIDSafe app was modeled on a similar approach in Singapore. China, which has required citizens to use location and health status tracking apps since February, stands out as a dominant example of centralized app use. Another centralized example is Israel, which used its state intelligence service’s phone tracking technology, usually reserved for tracking terrorists, to trace Israelis diagnosed with COVID-19.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Attempted cyberattack highlights vulnerability of global water infrastructure

Articles, Blog, News
featured image

Water utilities often have few cybersecurity resources and are subject to few regulations. A failed Stuxnet-like attack on Israel’s water supply shows how dangerous that could be.

In late April, Israel’s National Cyber Directorate received reports about an attempted “major” cyberattack on its water infrastructure. According to a statement issued by the directorate, the attack consisted of “assault attempts on control and control systems of wastewater treatment plants, pumping stations and sewers.”

The directorate called on water companies to change their internet passwords, make sure their control system software is updated, and undertake other cyber hygiene measures to tighten security. The attempted attacks were unsuccessful, according to the directorate, and appeared to be coordinated. Of concern was the level of chlorine in the water supply. The directorate asked water companies look for any disruptions, particularly regarding chlorine use in the water supply.

The geopolitical nature of the attack points to actors who favor an independent Palestinian state. “It’s more likely a state actor that would be supporting them, such as the Iranians who have built quite a cyber force,” says Matt Lampe, who most recently served as CIO for Los Angeles Water and Power and is now a partner in critical infrastructure cybersecurity advisory firm Fortium Partners.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

No election security funding in latest round of stimulus funding

Articles, Blog, News
featured image

Doubts raised about funding for 2020 election security and mail-in voting as money omitted from the latest stimulus bill.

While the economic and social fallout of the coronavirus captures virtually all federal, state and local policymaking resources, the US is quickly moving into a critical election season with election safety and security issues still unresolved. Yesterday, the House of Representatives voted overwhelmingly to pass the latest in a string of coronavirus-related bills, a $484 billion economic stimulus measure, the Paycheck Protection Program, and Health Care Enhancement Act.

That bill, a companion to a law passed by the Senate, did not contain provisions to help states and local jurisdictions with the likely need for mail-in voting and increased voting security, as some lawmakers and state officials had earlier hoped.

This latest stimulus bill follows several other pieces of stimulus legislation, including a significant bill signed into law on March 27, the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act provided $400 million for states to “prevent, prepare for, and respond to coronavirus, domestically or internationally, for the 2020 Federal election cycle.” Those funds are aimed at making voting in the upcoming presidential and other elections in November “safe” given the coronavirus scourge and the likely need for a quick shift to mail-in ballots in addition to continued electronic voting at polling stations.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Legions of cybersecurity volunteers rally to protect hospitals during COVID-19 crisis

Articles, Blog, News
featured image

The COVID-19 Cyber Threat Intelligence League and other groups cooperate with the industry, law enforcement, and the government to prevent attacks on healthcare providers.

Last month, some of the usual cast of online scammers and malware miscreants promised to refrain from attacking healthcare organizations or exploiting them during the COVID-19 crisis, showing a sense of honor unexpected from ransomware attackers and cryptocurrency thieves.

However, this ceasefire turned out to be a head-fake. Within a week of those vows, malware purveyors and con artists rushed to send out phishing emails while masquerading as healthcare organizations and even launched attacks against hospitals and other critical facilities. Last week, Google alone was blocking 18 million COVID-19 phishing or malware-delivery emails per day.

One group of esteemed hackers and cybersecurity experts couldn’t stand idly by and watch cybercriminals take advantage of this unprecedented crisis or, even worse, damage overtaxed and much-needed healthcare facilities. So, Marc Rogers, head of sec ops for DEF CON and VP of cybersecurity strategy for Okta; Nate Warfield, senior security program manager at Microsoft; Chris Mills, also a key security player at Microsoft; and Ohad Zaidenberg, lead cyber intelligence researcher at Clearsky Cyber Security, formed the COVID-19 Cyber Threat Intelligence League (CTI League).

[This article appeared in CSO Online. To read the rest of the article please visit here.]