Cyber Briefing ~ 03/22/2024
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
~Director's Note Friday~
Dear Readers
This week on Cyber Focus, Chris Krebs, the former director of CISA, provided great perspective on the current cybersecurity landscape and the challenges facing both government and private sector entities. Krebs highlighted the continual need to support state and local governments as well as small and medium-sized businesses. He underscored the importance of strengthening detection capabilities, fostering coordination between government and industry, and looking ahead to emerging threats amplified by rising geopolitical tensions.
The White House and EPA raised alarms about cyberattacks targeting water and wastewater systems throughout the United States. They urged state governments and water facilities to enhance their cybersecurity practices and implement basic precautions to mitigate the risk of disruptive cyberattacks.?
Echoing that call, the Five Eyes alliance issued a stark warning to critical infrastructure entities about the threat posed by Volt Typhoon, a formidable Chinese state-sponsored hacking group with a track record of compromising vital sectors like communications, energy, transportation, and water utilities. CISA associate director for China operations shared, “We know they’re on the network…? if the order was given, they could disrupt some services in this country right now.”? If you’re interested in a quick highlight of the threats Chinese hackers pose to our critical infrastructure, outgoing NSA cybersecurity director Rob Joyce, adds some color to this important topic.
The FCC has taken a big step towards enhancing consumer trust in smart devices with the introduction of the "U.S. Cyber Trust Mark." This voluntary program will label internet-connected products that adhere to robust cybersecurity standards, providing transparency and fostering better-informed purchasing decisions among consumers.
This week, geopolitical tensions escalated in the realm of space-based technology. Russia issued a warning to the United States, declaring that the use of commercial satellite operators like SpaceX for intelligence gathering renders these satellites as “legitimate military targets.”
A little closer to home, small utilities are grappling with the daunting challenge of defending against cyber threats. These essential service providers often lack the necessary resources, such as funding, expertise, and access to updated cybersecurity tools and technology. To bridge this gap, Dragos CEO Rob Lee penned an article on ways to offer emerging support to small utilities, highlighting the need for increased funding, streamlined access to cybersecurity tools and technology, and the ability to recover costs for essential cybersecurity investments.
Lastly, in a thought-provoking WSJ op-ed, McCrary Institute Senior Fellow Kiran Sridhar and his colleague Michael Boskin offer a critical assessment of the Biden administration's defense budget. They argue that chronic underfunding and sequestration have eroded America's military strength and readiness. Calling for substantial and sustained increases in defense spending, they highlight? the urgency of expanding capabilities in the cyber and space domains.?
War Eagle,
Frank Cilluffo
The National Security Agency (NSA) is actively searching for Chinese hackers who have infiltrated critical infrastructure in the United States. Outgoing director of cybersecurity, Rob Joyce, expressed concerns about China's hacking campaign, which aims to remain undetected until a strategic moment arises. The hackers could potentially disrupt American infrastructure, such as airports and the power grid, in the event of a conflict. While there is limited public information about these hacking campaigns, the NSA is working to uncover and eliminate the threats. Joyce believes that China would reserve such attacks for major conflicts due to the anticipated substantial response from the U.S.
The Biden administration is granting up to $8.5 billion in grants and $11 billion in loans to Intel to support computer chip production in multiple states. The investment aims to boost high-tech manufacturing, enhance national and economic security, and create thousands of jobs. The funding is part of Biden's strategy to strengthen domestic industry and infrastructure. The awards to Intel are the largest yet under the Chips and Science Act of 2022, which addresses the need to reduce reliance on Asian chip manufacturers. The United States aims to bolster its domestic chip production to mitigate economic and national security risks.
The House of Representatives has passed a major privacy bill with broad support, marking significant Capitol Hill action on tech. The bill has sparked questions about national security, TikTok, and its future in the Senate. While the bill targeting data brokers has gained support from progressive lawmakers, the TikTok bill has faced opposition due to concerns about political influence and free speech. The bills will now move to the Senate, where its fate is uncertain. The data broker bill has received more support and may have a better chance of advancing. The TikTok bill, on the other hand, could face constitutional challenges if it becomes law. The two bills were initially packaged together but have drawn different reactions from various stakeholders.
Experts criticize Change Healthcare's slow recovery process after a cyberattack that occurred four weeks ago, as at least 100 services remain offline. The impacts of the intrusion are considered unprecedented, raising concerns about the company's ability to respond effectively to such incidents.
The FCC voted this week to create a voluntary cybersecurity labeling program to help consumers identify smart devices that meet widely accepted security and privacy standards. The program aims to help people make informed purchasing decisions by differentiating trustworthy products in the marketplace and incentivizing manufacturers to meet higher cybersecurity standards. A new "U.S. Cyber Trust Mark" logo will appear on qualifying products alongside a QR code linking to details on security support and updates
President Joe Biden announces that chipmaking giant Intel will receive billions of dollars in grants as part of an industrial policy aimed at boosting domestic spending, job creation, and U.S. competitiveness in semiconductors. The grant is the largest award from the CHIPS and Science Act of 2022, supporting Intel's investments across multiple states and the creation of 30,000 jobs.
The recent cyberattack on Change Healthcare has exposed the healthcare sector's lack of preparedness for such attacks. The ongoing outage at Change Healthcare, a major medical payments clearinghouse, has caused financial strain for providers, disrupted pharmacy operations, and hindered patient access to medication. The incident highlights the need for critical healthcare companies to have functional backup networks to ensure uninterrupted operations. The healthcare industry's limited investment in cybersecurity, combined with the sharing of vulnerabilities among cybercriminals, poses a long-term problem that requires patching vulnerabilities and implementing stricter standards for backup systems and critical processes. Lawmakers have called for investigations into the cyberattack and are pushing for greater accountability and cybersecurity standards in the healthcare industry.
Senate Commerce Chair Maria Cantwell and Senate Intelligence Chair Mark Warner are pushing for the declassification of information regarding the threats posed by the Chinese owner of TikTok. They seek to hold a public hearing on the matter and believe that more intelligence should be made public. The Senate has yet to act on a bipartisan bill that would require the sale of TikTok or result in a ban. Cantwell plans to meet with the bill's sponsor to discuss potential legislation.
Ireland is attracting Chinese tech giants like TikTok, Temu, and Shein to boost its economy, but this move could pose risks as trade tensions between the West and China escalate. Analysts warn that Ireland's close relationship with the United States and its dependence on Big Tech could be jeopardized by welcoming Chinese firms. Concerns include potential economic coercion from Beijing, cybersecurity threats, and questions about China's data policies and human rights record.
Six additional countries, including Ireland, Poland, Finland, Germany, South Korea, and Japan, have formally signed on to a U.S.-led pledge to use spyware technology responsibly and prevent its malicious use. This signifies a growing international concern over the misuse of spyware against government officials and journalists. The announcement was made by Secretary of State Antony Blinken during the Summit for Democracy in South Korea. The U.S. aims to crack down on the misuse of commercial spyware and plans to announce further actions to address the issue later this week.
Russia has warned the United States that its use of commercial satellite operators, such as SpaceX, for intelligence purposes makes those satellites legitimate targets. This comes after reports that SpaceX is building a network of spy satellites under a classified contract with a U.S. intelligence agency. Russia stated that such systems could face retaliatory measures, including military actions.
Government agencies in the US, UK, Canada, Australia, and New Zealand are warning critical infrastructure entities about the threat posed by Volt Typhoon, a Chinese state-sponsored hacking group. The group has successfully hacked organizations worldwide, including in the communications, energy, transportation, and water sectors. The agencies provide guidance on defending against Volt Typhoon, emphasizing the need for informed resourcing decisions, detection and hardening best practices, comprehensive security plans, and incident response plans. Smaller organizations without cybersecurity teams are advised to obtain managed security services. Securing the supply chain and promptly reporting incidents are also recommended.
The U.S. Environmental Protection Agency (EPA) is planning to establish a task force dedicated to addressing the increasing number of cyberattacks on the water sector from nation-states like Iran and China. The EPA will hold a meeting with state officials to discuss the need to protect critical water infrastructure against cyber threats. The task force will focus on identifying vulnerabilities in water systems and developing strategies to mitigate the risk of cyberattacks. The EPA aims to collaborate with state leaders to strengthen the cybersecurity of water and wastewater systems in the country.
Intel has been awarded $8.5 billion under the Chips Act to fund the construction of new factories and expansion projects in Arizona, New Mexico, Ohio, and Oregon. The grant aims to boost U.S. semiconductor manufacturing, addressing supply chain disruptions and geopolitical tensions with China. The funding, part of President Biden's industrial policy, is expected to help Intel create over 10,000 jobs and contribute to the production of 20% of the world's leading-edge chips by the end of the decade.
The Biden administration is reportedly considering blacklisting several Chinese semiconductor firms linked to Huawei Technologies after the telecom giant achieved a significant technological breakthrough last year. The move would escalate efforts to restrict Beijing's AI and semiconductor ambitions and put pressure on Huawei, which has made strides despite existing sanctions. The companies that could face blacklisting include Qingdao Si'En, SwaySure, and Shenzhen Pensun Technology, among others. The US government is also pressing allies to tighten restrictions on China's access to semiconductor technology. No final decisions have been made.
Wars between great powers rarely end quickly; they tend to be long, grueling slogs of attrition that expand horizontally, ensnaring other regions. While war games and novels often depict short, decisive conflicts, a war between the US and China would be a global grind lasting years, with multiple theaters and escalating tensions. Policymakers and military leaders must plan for the broad range of implications of such a prolonged conflict.
The Biden administration's budget fails to address the significant challenges facing the U.S. military. Insufficient and inflexible funding, coupled with chronic underfunding and sequestration, have hindered the military's ability to meet even diminished standards. Urgent priorities, such as a larger Navy, modernized defense systems, and increased capabilities in cyber and space, require sustained yearly increases of $100 billion or more. Efforts to improve efficiency and provide adequate funding are crucial for rebuilding the military.
The US Department of Transportation (DOT) has announced a comprehensive review of data security and privacy policies across major US airlines. The review will assess whether airlines are adequately protecting customers' personal information and if they are engaging in unfair or deceptive practices regarding data monetization and sharing with third parties. The DOT will send letters to airline executives to inquire about data collection and handling, targeted advertising, and employee training. The investigation aims to take enforcement action against problematic practices. The review is part of the US government's broader efforts to protect consumer privacy. The DOT will collaborate with Senator Ron Wyden, an advocate for privacy rights, during the review.
The Cybersecurity and Infrastructure Security Agency (CISA) has urged Apple users to apply necessary updates for Safari, macOS, watchOS, tvOS, and visionOS. CISA warns that cyber threat actors could exploit vulnerabilities in these systems to take control of affected devices. The updates include important security patches and address multiple security issues, including potential data exposure and unauthorized access. Regularly updating Apple devices is crucial for maintaining functionality and security, as it helps protect against unauthorized access, data theft, and malware infections.
This article highlights the impactful roles of Theresa Payton, Bridget O'Connor, and Melissa O'Leary in the cybersecurity landscape. Theresa Payton, the first female CIO at the White House, led the digital transformation agenda and established the first dedicated Security Operations Center. Bridget O'Connor navigated cultural shifts and technological transitions, while Melissa O'Leary emphasized collaboration and strategic leadership. These women now lead Fortalice, a women-led cybersecurity consulting firm known for its innovative approaches. Their contributions inspire diversity and inclusion in the industry.
The Federal Communications Commission (FCC) has approved a U.S. cyber label program that will help consumers determine the security of their connected devices. Manufacturers can place a U.S. Cyber Trust Mark on their products after undergoing third-party testing to assess security features. The label will provide information such as default password changes, software updates, and security support timeframes. Consumer Reports urges quick implementation of the program and encourages retailers to stock products that meet the label's standards.
Researchers have unveiled a technique called Unsaflok, which exploits vulnerabilities in Saflok-brand RFID-based keycard locks used in 13,000 properties across 131 countries. By obtaining and reprogramming a keycard, hackers can open any door in a hotel using the Saflok system, potentially affecting 3 million doors worldwide. Although the lock manufacturer, Dormakaba, has been made aware of the vulnerabilities, it may take months or even years for the necessary updates and replacements to be implemented.
UnitedHealth's subsidiary, Change Healthcare, has announced the complete restoration and rebuilding of its cloud-based services for medical claims following a cyber attack. With the assistance of Palo Alto Networks and Mandiant, the services were rebuilt and cleared for use. Change Healthcare processes 50% of medical claims in the US and has taken measures to support affected healthcare providers.
There is an ongoing global political battle taking place to determine how to control and regulate artificial intelligence. The EU, the US, China, and other nations all have different approaches, from binding laws to voluntary industry commitments. With AI risks climbing the political agenda, the next year will likely solidify standards. The stakes are high as Western democracies try to reach a consensus, or else China may step in and set global rules for a potentially dangerous technology.
The Department of Homeland Security (DHS) has announced a new pilot program that will use generative AI to train immigration officers. The U.S. Citizenship and Immigration Services is developing an app that will generate personalized training materials to provide officers with up-to-date knowledge of relevant policies and laws. This initiative is part of a broader overhaul of DHS's AI efforts, directed by President Joe Biden's AI executive order. The DHS has requested $5 million from Congress to support its AI work.
The Biden administration imposed sanctions on Russian operatives behind a disinformation network that targets independent media and democratic institutions in Europe. The sanctioned individuals, Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin are accused of providing services to the Kremlin for its malign influence operations. The network includes over 60 websites that mimic legitimate European news outlets, along with inauthentic social media accounts. This action demonstrates the U.S. government's commitment to counter Russia's evolving disinformation tactics.
Several states have moved to protect voter privacy by preventing records from being published online, but a string of lawsuits from conservative groups is overturning those laws and forcing all voter data to be posted publicly. Some see voter info as a federal transparency right, but officials argue it enables harassment. Without federal action, voter privacy advocates see little recourse as more personal data is forced online against states' wishes.
Top officials from the Biden administration have urged UnitedHealth Group to provide more details about the full restoration timeline for its billing subsidiary following last month's ransomware attack. While UnitedHealth has made significant progress in the past three weeks, concerns remain about the ongoing financial impact of the cyberattack on Change Healthcare. The Department of Health and Human Services has called for greater clarity from UnitedHealth to assist small healthcare providers who are still experiencing cash crunches due to the disruption. UnitedHealth has restored its electronic payment systems and has provided $2 billion in advanced payments to healthcare providers so far.
The U.S. Department of Health and Human Services (HHS) has announced that more insurers have agreed to accelerate payments to healthcare providers affected by the recent Change Healthcare cyberattack. While the names of the insurers were not disclosed, HHS officials stated that claims are starting to flow and that progress has been made in paying impacted providers. UnitedHealth Group, the owner of Change Healthcare, has already advanced $2 billion in payments to affected providers. CVS Health and Aetna have also accelerated payments on a case-by-case basis, while Cigna, Elevance, and Humana have not provided comments on the matter.
A US government fact sheet provides an overview for executives on the threat posed by Chinese state-sponsored hackers known as the Volt Typhoon. It warns they have compromised US critical infrastructure to enable future disruption. It urges leaders to empower cybersecurity teams, secure supply chains, drive an internal culture, and report incidents. It provides actions like using intelligence tools to prioritize defense, applying best practices to detect living off-the-land techniques, continuous training, comprehensive planning and exercises, vendor risk management, and collaboration across units. Resources and contact info for reporting are included.
Officials from the EPA and the White House have warned that threat actors linked to China and Iran are targeting water and wastewater systems in the US, posing a risk to clean and safe drinking water. The EPA has called on governors to assess their current cybersecurity practices, identify vulnerabilities, and take steps to reduce cybersecurity risks. The EPA plans to establish a Task Force to address the vulnerabilities of water systems to cyberattacks and provide guidance and assistance. Drinking water infrastructure, which often lacks robust cybersecurity measures, is an attractive target for hackers.
The White House has announced an agreement with the Department of Commerce to provide Intel with up to $8.5 billion in funding to support U.S.-based chip production. This move is part of efforts to address supply chain bottlenecks and geopolitical tensions with China, and to revitalize U.S. industry. Intel plans to invest ten times that amount over the next five years, creating thousands of jobs and establishing manufacturing facilities in Arizona, New Mexico, Oregon, and Ohio. However, experts suggest more needs to be done to bridge the gap with competitors like TSMC.
Intel is preparing to invest $100 billion in building and expanding factories across four US states, with $19.5 billion secured in federal grants and loans. The plan includes creating the world's largest AI chip manufacturing site near Columbus, Ohio, alongside revamping sites in New Mexico and Oregon and expanding operations in Arizona. The funding, which includes tax breaks, aims to help Intel regain its manufacturing edge and become a serious player in the foundry market for cutting-edge chips. However, analysts suggest more investment will be needed to overtake rival Taiwan Semiconductor Manufacturing Co.
French technology giant Atos, responsible for managing data and cybersecurity for France's nuclear weapons programs, military, and the upcoming Paris Olympics, faces financial uncertainty. Talks to sell its cybersecurity assets to Airbus have been called off, causing a 20% drop in Atos' shares. The French government is working on a national solution to protect Atos, citing the need to preserve strategic activities. Atos has relied on debt-financed acquisitions and faces significant debt repayments. The company's shares have plummeted, and it is evaluating strategic alternatives to stabilize its financial situation.
A White House advisory warns of threat actors from Iran and China targeting US water and wastewater systems, urging operators to review cybersecurity practices and implement risk mitigation controls. Concerns arise from past attacks and the ongoing potential for disruptive cyberattacks on critical water infrastructure. The vulnerability of these systems, coupled with outdated software and known vulnerabilities, makes them attractive targets. The government has allocated funds to enhance cybersecurity in rural water systems, and the separation of IT and operational technology environments is being adopted as a defense measure.
High-profile takedowns of ransomware groups like LockBit and ALPHV have caused a shift in the cyber underground. Affiliates, the hackers carrying out attacks, are moving away from well-known Ransomware-as-a-Service (RaaS) groups towards lesser-known startups that offer trust. These startups offer better profit-sharing models, access to support teams, and a focus on building trust with affiliates. As trust in larger ransomware groups wanes, these startups are attempting to fill the void. The landscape is volatile, and the impact of these shifts remains to be seen.
A victim shares their experience of falling for a vishing (voice-phishing) attack, highlighting the effectiveness of emotional manipulation and the importance of recognizing red flags and seeking verification.
Companies are carefully choosing their words when describing cyber incidents in SEC filings. Rather than using terms like "breach" or "data breach," businesses opt for milder language to limit doubts about their response capabilities and legal liabilities. Only 12 initial Form 8-K filings have been submitted since the SEC's cyber disclosure rules took effect, with most mentioning an "incident" and unauthorized activity or access. Some companies, such as VF Corp. and Microsoft, have gone beyond the mandated requirements to disclose additional details about the attack vector, threat actor, data theft, and impacts on operations or systems.
A compilation by law firm Bryan Cave Leighton Paisner reveals that half of all states in the US have laws related to artificial intelligence (AI), with the main focus being on curbing profiling. These laws aim to regulate the use of AI technology to categorize individuals for targeted marketing, hiring decisions, insurance coverage, and other business purposes. California and Colorado lead the way with two AI laws each, both incorporated into broader data privacy legislation. Other states are either in the process of passing AI laws or considering them. The laws primarily address concerns related to profiling.
The article recounts how eight Google employees invented the AI architecture called transformers, detailed in their influential 2017 "Attention Is All You Need" paper. It traces the origin to Jakob Uszkoreit's idea for "self-attention" models and his teaming up with colleagues, including Ashish Vaswani and Llion Jones. Noam Shazeer then provided key optimizations to make transformers surpass previous methods. Though initially seen as an academic exercise, transformers proved revolutionary, becoming the backbone of ChatGPT, Dall-E, and modern AI. All eight authors have since left Google for AI startups now worth billions, while Google was slow to utilize their breakthrough invention. But the story illustrates how Google's environment once fostered groundbreaking innovation.
The rise of cybersecurity in response to state-sponsored attacks necessitates a dedicated and evolving response. The integration of cyber defense systems is crucial for national security, economy, and privacy rights. A comprehensive solution, such as a cyber defense integrator, is needed to address the fragmented cybersecurity landscape and create interoperability among different systems. This integrator should also be nimble, adapting rapidly to new threats, techniques, and technologies. Encouraging interoperability and adaptability in cybersecurity products requires a collective effort from the government and private sector. The time to act is now to ensure the future of the nation.
Charlotte A. Tschider argued in March 2024 that a private certification model for cybersecurity practices, leveraging existing standards and audits, could be reinforced by public auditors and litigation models with little taxpayer cost. This would establish a liability safe harbor for organizations meeting industry cybersecurity standards, providing consistent legal direction and incentivizing collective security improvements across supply chains over time.
Subscribe to our LinkedIn Cyber Briefing.
Subscribe to our Cyber Focus podcast.
Copyright ? 2024 Auburn University's McCrary Institute. All Rights Reserved.