Cyber Briefing ~ 05/01/2024
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
As outlined in a revised policy document signed by President Biden, the U.S. intelligence community will now be required to share information about threats to critical infrastructure with the owners and operators of those systems. The updated policy aims to improve information flow and address the evolving threats facing U.S. critical infrastructure sectors. It also clarifies the roles and responsibilities of federal agencies involved in protecting vital services.
The United States recognizes the importance of securing and maintaining resilient critical infrastructure, which encompasses physical and virtual assets vital to national security, economic security, and public health and safety. As the country invests in infrastructure and adopts new technologies, there is an opportunity to build for the future. However, the nation also faces strategic competition from state and non-state actors who target critical infrastructure through both legal and illegal means. Adversaries may exploit vulnerabilities in critical infrastructure during times of crisis or conflict. Additionally, the impact of climate change further strains these assets and systems. This memorandum aims to enhance national unity by strengthening the security and resilience of critical infrastructure.
UnitedHealth Group CEO Andrew Witty will testify before Congress this week and confirm that the massive ransomware attack on the U.S. healthcare system in February was a result of a basic security lapse. The cybercriminal group ALPHV, also known as BlackCat, infiltrated Change Healthcare due to a lack of multifactor authentication for the Citrix application used for remote desktop access. Witty will also disclose that the hackers breached Change's systems on February 12 and encrypted their health information technology environment on February 21. Witty defends the decision to pay the hackers a multimillion-dollar ransom and take Change's systems offline, stating it was the right thing to do to prevent further penetration into UnitedHealth Group.
Austria urges international efforts to regulate the use of artificial intelligence in weapons systems, as the advancement of AI technology brings the possibility of "killer robots" closer. The conference, titled "Humanity at the Crossroads: Autonomous Weapons Systems and the Challenge of Regulation," aims to address the ethical and legal challenges posed by autonomous weapons. The window for action is closing rapidly, with discussions at the United Nations producing few results. The goal is to ensure human control over life-and-death decisions and prevent moral failures by delegating control over violence to machines and algorithms.
The United Kingdom has implemented the Product Security and Telecommunications Infrastructure Act 2022, making it the first country to ban default guessable usernames and passwords on IoT devices. The law introduces minimum security standards for manufacturers and requires them to disclose the duration of security updates for their products. Weak default passwords like "admin" or "12345" are explicitly prohibited, and manufacturers must publish contact details for bug reporting. Non-compliant products could face recalls and fines of up to £10 million or 4% of global revenue. While similar laws are being considered elsewhere, the UK has taken the lead in addressing the security risks posed by IoT devices.
The top three US wireless providers, T-Mobile, AT&T, and Verizon have pledged to contest fines totaling almost $200 million imposed by the Federal Communications Commission (FCC) for illegally sharing customers' location information. The FCC accused the carriers of failing to protect sensitive customer data and selling access to it to other businesses. T-Mobile has stated that it has already discontinued the practice, while AT&T and Verizon plan to appeal the FCC's decision.
Gavin Wilde, a senior fellow at the Carnegie Endowment for International Peace, discusses his evolving views on countering foreign influence operations since the 2016 U.S. election. He cautions against overreacting to these threats, arguing that the effects may be more marginal than assumed and that domestic issues may be a greater driver of societal divisions. Wilde advocates for shoring up trust in democracy by addressing bread-and-butter concerns rather than relying solely on national security tools to counter foreign propaganda.
Federal agencies in the U.S. will adopt skill-based hiring for IT jobs, shifting away from traditional requirements based on degrees or years of experience. This move aims to address the cyber job gap and promote diversity in the field. The Office of the National Cyber Director stated that the new hiring practices will come into effect next summer and will also apply to federal contractors. The emphasis on skill-based hiring aligns with the Biden administration's strategy of leveraging the federal government's influence to drive private sector behavior and create good-paying jobs.
The National Security Agency (NSA) revealed identifying information about U.S. residents or corporations over 30,000 times in surveillance reports shared among senior federal government officials last year, a significant increase from previous years. This surge in unmasking, the revealing of redacted information about American identities in classified intelligence reports, is the highest ever recorded since the transparency report began a decade ago. The increase is mainly attributed to efforts to combat foreign hackers targeting critical American infrastructure.
Finnish hacker Aleksanteri Kivim?ki has been convicted and sentenced to six years in prison for hacking and attempting to extort psychotherapy company Vastaamo. The breach resulted in the release of private data, including therapy session notes, affecting tens of thousands of people, including public officials and celebrities. Kivim?ki, notorious for previous cyberattacks, demanded approximately $430,000 in Bitcoin to not publish the data but accidentally exposed the entire database. He is likely to serve half his sentence, minus the time spent in detention, and plans to appeal the verdict.
GPS jamming and spoofing attacks are increasing, impacting planes, ships, and critical infrastructure. The Baltic region, Ukraine, and the Middle East have seen a surge in disruptions, with Russia being implicated. Concerns arise over potential safety hazards and the broader impact on global trade and infrastructure.
Senators, including Elizabeth Warren, have asked the US Cybersecurity and Infrastructure Security Agency (CISA) to explain its response to a ransomware attack on insurance company Change Healthcare. The attack paralyzed the healthcare system and resulted in the theft of patient medical data. The senators are seeking information on CISA's collaboration with the FBI, its efforts to combat ransomware, and its actions to address the payment of ransoms with cryptocurrencies. UnitedHealth, the parent company of Change Healthcare, has disclosed that it paid hackers a ransom to protect patient data.
Auburn University and Oak Ridge National Laboratory are partnering to create the Southeast Region Cybersecurity Collaboration Center (SERC3), a pilot regional cybersecurity center focused on protecting the power grid. With a $10 million grant from the U.S. Department of Energy, the initiative will unite private, academic, and government experts to research and develop solutions for cyberattacks on the power grid. The center will include a mock utility command center for real-time training and will conduct experiments with industry partners to test new security technologies.
President Joe Biden has signed a directive reaffirming the central role of the Cybersecurity and Infrastructure Security Agency (CISA) in protecting the nation's critical infrastructure sectors. Despite calls to add major industries like space and cloud computing, the directive maintains the existing list of 16 sectors. The directive reinforces CISA's mandate to coordinate national efforts in securing critical infrastructure from cyberattacks and natural disasters. It also directs sector risk management agencies to assess cybersecurity standards and emphasizes the need for resilience in the face of escalating threats, such as those posed by Chinese hacking groups.
The Federal Trade Commission (FTC) has finalized a rule expanding data breach reporting requirements for healthcare applications. The Health Breach Notification Rule now explicitly applies to health apps and requires covered entities to disclose additional information in the event of a breach. The rule aims to address evolving health data usage and enhance enforcement actions, potentially leading to larger civil penalties in the future. The rule also clarifies what constitutes personally identifiable health data, including emergent health data such as purchase records and location data. The FTC commissioners voted 3-2 in favor of publishing the rule.
President Joe Biden has updated a policy from the Obama administration to protect critical U.S. infrastructure sectors from foreign cyberattacks, specifically addressing the growing threat posed by China. The new policy reflects the changing threat environment and assigns responsibilities to federal agencies to safeguard U.S. infrastructure. The move comes as FBI Director Christopher Wray warns of Chinese hackers targeting critical systems such as the electrical grid and water plants. The policy also directs intelligence agencies to share relevant information with vulnerable infrastructure industries.
UnitedHealth CEO Andrew Witty revealed that the ransomware gang behind the attack on Change Healthcare gained access to the company's systems using stolen credentials and exploited the absence of multi-factor authentication (MFA). The hackers accessed a Change Healthcare Citrix portal, which did not have MFA in place, allowing them to move laterally within the systems and exfiltrate data. UnitedHealth confirmed that it paid a ransom to the hackers and estimated the attack's cost at over $870 million in the first quarter.
Jareh Sebastian Dalke, a former NSA employee, has been sentenced to nearly 22 years in prison for attempting to sell classified information to Russia. Dalke, an Army veteran, exchanged emails with an FBI agent posing as a Russian agent and offered to sell sensitive US defense capabilities, threat assessments, and information on a US cryptographic program for $85,000. The FBI arrested him during the final exchange. Attorney General Merrick Garland emphasized that those who betray the country will be held accountable for their crimes.
Governments are warned that time is running out to regulate the emergence of artificially intelligent killing machines. As autonomous weapons systems proliferate, the decision to hit targets could soon be outsourced entirely to machines. The challenge of controlling killer robots is exacerbated by global conflict and financial incentives for companies promoting AI. Governments are urged to collaborate with companies integrating AI tools into defense, enforce export controls and humanitarian laws, and potentially write new rules to address the easy availability of autonomous weapons to non-state actors.
China has unexpectedly disbanded the People's Liberation Army's Strategic Support Force (SSF) and replaced it with three new forces: the Aerospace Force, Cyberspace Force, and Information Support Force. The move is seen as a reversal of the initial innovation the SSF was meant to bring, with the PLA now opting for separate component forces instead of a unified command. The new forces will focus on space missions, cyber operations, and information support, respectively. The restructuring reflects the PLA's ability to assess shortcomings and make changes, although it may also introduce a new layer of bureaucracy.
The UK has implemented the world's first legislation requiring internet-connected smart devices to meet minimum security standards. Manufacturers are now prohibited from using weak default passwords like "123456" or "admin" to enhance consumer protection against hacking and cyberattacks. The law also mandates the disclosure of contact details for bug reports and timely security updates. This landmark legislation aims to address the increasing threats generated by the internet and empower consumers to make informed decisions about the security of their purchased products.
The US-China tech war has focused on Huawei, as the US government blacklisted the company in 2019 over spying concerns. Despite US efforts to contain China's technological rise, Huawei has made a remarkable comeback and is now at the forefront of China's push for technological independence. With Huawei's dominance in the domestic market and advancements in semiconductors, the US is deliberating ways to counter Huawei's influence and exploring additional sanctions.
The National Institute of Standards and Technology (NIST) has introduced NIST GenAI, a program aimed at evaluating generative AI technologies, such as text and image generation. NIST GenAI will release benchmarks, develop systems to detect deepfakes and encourage the creation of software to identify the source of fake or misleading AI-generated information. The program's first project is a pilot study to distinguish between human-created and AI-generated text, inviting submissions from academia, industry, and research labs. NIST GenAI aligns with President Biden's executive order on AI transparency and is part of NIST's AI Safety Institute's efforts.
The Federal Communications Commission (FCC) has fined the largest U.S. wireless carriers a total of $200 million for selling customers' location data to third parties without consent and failing to protect that information. Sprint and T-Mobile, who merged in 2020, were fined $12 million and $80 million, while AT&T and Verizon were fined over $57 million and nearly $47 million, respectively. The carriers violated rules that prohibited selling customer data without permission and neglected to implement reasonable safeguards. The FCC initiated the investigation after reports of a Missouri sheriff using an inmate phone monitoring service to track cell phone locations. The carriers plan to appeal the decision.
The IRS has started notifying taxpayers, including wealthy individuals, that their tax return information was compromised in the widespread breach by former IRS contractor Charles Littlejohn. The breach, which occurred between 2018 and 2020, involved the leak of tax information from thousands of wealthy Americans, including former President Donald Trump's tax returns. The notification letters, required under Section 7431 of the Internal Revenue Code, could lead to lawsuits against the government from affected taxpayers. The letters provide limited information about the breach and do not specify which data was taken or to whom it was sent.
The Federal Trade Commission (FTC) has finalized changes to the Health Breach Notification Rule (HBNR), expanding its applicability to health apps and similar technologies not covered by HIPAA. The rule strengthens breach notification requirements for vendors of personal health records (PHR) and related entities, clarifies definitions and breach of security criteria, and expands consumer notice content. The changes also allow for expanded use of electronic notification. The final rule will take effect 60 days after publication in the Federal Register.
Subscribe to our LinkedIn Cyber Briefing.
Subscribe to the daily Cyber Briefing email.
Subscribe to our Cyber Focus podcast.
Copyright ? 2024 Auburn University's McCrary Institute. All Rights Reserved.