In this episode of the podcast (#204) we’re joined by Josh Corman of CISA, the Cybersecurity and Infrastructure Security Agency, to talk about how that agency is working to secure the healthcare sector, in particular vaccine supply chains that have come under attack by nations like Russia, China and North Korea.
How is the U.S. government responding to this array of threats? In this episode of the podcast, we’re bringing you an exclusive interview with Josh Corman, the Chief Strategist for Healthcare and COVID for the COVID Task Force at CISA, Cybersecurity and Infrastructure Security Agency.
In this interview, Josh and I talk about the scramble within CISA to secure a global vaccine supply chain in the midst of a global pandemic. Among other things, Josh talks about the work CISA has done in the last year to identify and shore up the cyber security of vital vaccine supply chain partners – from small biotech firms that produce discrete but vital components needed to produce vaccines to dry ice manufacturers whose product is needed to transport and store vaccines.
To start off I asked Josh to talk about CISA’s unique role in securing vaccines and how the Federal Government’s newest agency works with other stake holders from the FBI to the FDA to address widespread cyber threats.
Last week, the Executive Order on Protecting the United States from Certain Unmanned Aircraft Systems (UAS) expanded the U.S.-China drone controversy to North Korea, Iran, and Russia.
The Order also provides the Secretary of Commerce with the authority to designate “any other foreign nation, foreign area, or foreign non-government entity engaging in long-term patterns or serious instances of conduct significantly adverse to the national or economic security of the United States,” in addition to China, North Korea, Iran, and Russia.
The purpose of the Order is to, “prevent the use of taxpayer dollars to procure UAS that present unacceptable risks and are manufactured by, or contain software or critical electronic components from, foreign adversaries, and to encourage the use of domestically produced UAS.” However, this Order is not necessarily a “cease-and-desist” order; instead, it requires federal agencies to review their “authority to cease” procuring, funding or contracting the “covered UAS” of such foreign adversaries within the next 60 days. A “covered UAS” includes a drone that:
is manufactured, in whole or in part, by an entity domiciled in an adversary country;
uses critical electronic components installed in flight controllers, ground control system processors, radios, digital transmission devices, cameras, or gimbals manufactured, in whole or in part, in an adversary country;
uses operating software (including cell phone or tablet applications, but not cell phone or tablet operating systems) developed, in whole or in part, by an entity domiciled in an adversary country;
uses network connectivity or data storage located outside the United States, or administered by any entity domiciled in an adversary country; or
contains hardware and/or software components used for transmitting photographs, videos, location information, flight paths, or any other data collected by the UAS manufactured by an entity domiciled in an adversary country.
The Order also requires federal agencies to inventory covered UAS that already are owned or operated by the agency, and to then report their existing security protocols. However, and particularly with respect to China, several federal agencies have already conducted this inventory and assessment. No later than 120 days after the inventory reports are completed, the Director of National Intelligence, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Science and Technology Policy, and the heads of other agencies will review the reports and submit a security assessment to the President, including recommended mitigation steps for decreasing the risks associated with these UAS and whether any UAS’ use should be discontinued completely by federal agencies.
The Federal Aviation Administration (FAA) must also lay out restrictions on the use of UAS on or over critical infrastructure within 270 days of the Order; the FAA already has the power to issue a Temporary Flight Restriction (TFR). At present, TFRs can be requested only by national defense, national security, and federal intelligence departments and agencies. However, other government or private sector entities can, in the interest of national security, request those agencies to sponsor a TFR over critical infrastructure, (e.g., oil refineries and chemical facilities). The goal of the Order is perhaps to provide a direct line from private industry to the FAA.
We’ll see if the Order has staying power and the funding to support it. Stay tuned.
Malwarebytes, a cybersecurity firm, confirmed this week that the same hackers believed to originate from Russia who were behind the SolarWinds incident were able to access some of its internal emails without authorization.
According to the company, it did not use SolarWinds software, but had been targeted by the same hackers to access its O365 and Azure environments. It further stated that the access included a limited number of internal company emails, but did not include any access or compromise of its production environments, which is good news for its customers.
The CEO of Malwarebytes stated that the hacking campaign that started with FireEye and has affected both governmental agencies and Fortune 500 companies alike “is much broader than SolarWinds and I expect more companies will come forward soon.”
The fallout from these incidents continues, and no doubt there will be more to come.
Marriott recently won dismissal of a proposed class action data breach lawsuit alleging several violations, including a violation of the California Consumer Privacy Act (CCPA). The case, Arifur Rahman v. Marriott International, Inc. et al., Case No.: 8:20-cv-00654, was dismissed in an Order by U.S. District Court Judge David O. Carter on January 12, 2021.
The Plaintiff in the lawsuit alleged that he was a member of a “class that were victims of a cybersecurity breach at Marriott when to employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.” Marriott admitted there was a breach, sent letters to affected individuals, and confirmed that no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.
The matter was dismissed, as the Court found that it lacked subject matter jurisdiction as the Plaintiff lacked standing to sue. The Court was clear that in the 9th Circuit, the sensitivity of the personal information, combined with its theft, are prerequisites to finding that plaintiffs alleged injury in fact. Injury in fact is one of the three elements necessary to support Article III standing.
The data breach in this case affected approximately 5.2 million Marriott customers, but the information accessed by hackers was not “sensitive information,” which was a required element to be able to continue the lawsuit.
The fallout from the SolarWinds hacking incident linked to Russian threat actors has not only wreaked havoc on governmental agencies and private companies whose data are at risk following the incident, but this week, Bitsight and Kovrr released an analysis outlining the effect of the event on insurance losses that estimates the incident could cost more than $90 million when all is said and done.
The $90 million includes costs related to forensic analyses, incident response, potential regulatory fines and public relations costs. Although it has been reported that 18,000 customers of SolarWinds may have been affected by the incident, the analysis indicates that 40 specific firms were targeted in the incident, 80 percent of which are located in the U.S. It further notes that those firms were primarily federal agencies or in the information technology sector.
The analysis highlights the importance of assessing supply-chain cyber risk and how supply chain and vendor security incidents can cause direct losses that may not be easily recoverable from downstream companies. As part of the assessment, companies also may wish to determine whether insurance coverage may be available if it experiences a vendor or supply chain incident like the SolarWinds example.
U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.
In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.
In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.
Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.
We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now
2020 will go down as one of the most stressful in my career as a cybersecurity professional. I have been working in this area of law full time since 2003. So that says a lot.
On top of the stress of the spread of the coronavirus, this has been a particularly stressful year assisting clients with security incidents, ransomware extortions, data security in migrating from on premises to work from home, and keeping employees educated and vigilant. Indeed, it has been difficult and exhausting. And I’m just the lawyer.
Your IT professionals have been through HELL this year. They are working beyond capacity, with limited resources, trying to keep organizations safe from highly sophisticated hackers and nation states, including Russia and China. They are doing their very best to find the right tools to keep the bad guys out of networks and systems, at the same time trying to get their users not to click on links, attachments or phishing emails. They are getting attacked from within and without. It is a war for them every day.
Give them some love. A thank you goes a long way. Our IT professionals are losing sleep every night, working long hours, keeping our data safe, and dealing with attacks that you can’t even begin to fathom.
They battle for us in the background, on the front line, and never get any credit for how important their job is to our ability to do our job.
So this holiday season, take a little time and reach out to your IT professionals and say “Thank you.” They deserve a ton of credit and LOVE from all of us.
In this episode of the podcast (#197), sponsored by LastPass, former U.S. CISO General Greg Touhill joins us to talk about news of a vast hack of U.S. government networks, purportedly by actors affiliated with Russia. In our second segment, with online crime and fraud surging, Katie Petrillo of LastPass joins us to talk about how holiday shoppers can protect themselves – and their data – from cyber criminals.
Every day this week has brought new revelations about the hack of U.S. Government networks by sophisticated cyber adversaries believed to be working for the Government of Russia. And each revelation, it seems, is worse than the one before – about a purported compromise of US government networks by Russian government hackers. As of Thursday, the U.S. Cyber Security and Infrastructure Security Agency CISA was dispensing with niceties, warning that it had determined that the Russian hackers “poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations”
Now this attack, which is so big it is hard to know what to call it. Unlike the 2014 incident it isn’t limited to a single federal agency. In fact, it isn’t even limited to the federal government: state, local and tribal governments have likely been affected, in addition to hundreds or thousands of private firms including Microsoft, which acknowledged Thursday that it had found instances of the software compromised by the Russians, the SolarWinds Orion product, in its environment.
How did we get it so wrong? According to our guest this week, the failures were everywhere. Calls for change following OPM fell on deaf ears in Congress. But the government also failed to properly assess new risks – such as software supply chain attacks – as it deployed new applications and computing models.
Greg Touhill, is the President of the Federal Group of secure infrastructure company AppGate. he currently serves as a faculty member of Carnegie Mellon University’s Heinz College. In a prior life, Greg was a Brigadier General Greg Touhill and the first Federal Chief Information Security Officer of the United States government.
In this conversation, General Touhill and I talk about the hack of the US government that has come to light, which he calls a “five alarm fire.” We also discuss the failures of policy and practice that led up to it and what the government can do to set itself on a new path. The federal government has suffered “paralysis through analysis” as it wrestled with the need to change its approach to security from outdated notions of a “hardened perimeter” and keeping adversaries out. “We’ve got to change our approach,” Touhill said.
The malls may be mostly empty this holiday season, but the Amazon trucks come and go with a shocking regularity. In pandemic plagued America, e-commerce has quickly supplanted brick and mortar stores as the go-to for consumers wary of catching a potentially fatal virus.
The Department of Justice in October announced charges against six men believed to work for the Russian GRU and linked to some of the most sinister cyber attacks of the last decade including the NotPetya malware and attacks on the government of Ukraine. In this podcast we talk to two men who helped build the DOJ’s case: Cisco’s Matt Olney, the Director of Talos Threat Intelligence and Interdiction and Craig Williams, the Talos Director of Outreach about the case against the Russian actors and what companies can do to defend themselves.
The news this week was that FireEye, one of the U.S.’s most prominent cyber security firms, had itself become a victim of a cyber crime. The likely suspects: state-sponsored hackers working on behalf of the Government of Russia.
Now, according to reports, Russian hacking groups may have access to FireEye’s custom “red team” tools for testing client’s defenses or identifying malicious activity. That’s a possible bounty for Russian state-sponsored crews like so-called “Cozy Bear,” or APT 29, which are already among the most feared cyber adversaries in the world.
But just because Russian hacking groups act often act with impunity doesn’t mean they’re invisible – or even unknowable. In fact, it was just a few weeks ago – on October 15 – that the U.S. Justice Department named six officers of Russia’s GRU in connection with a string of high profile hacks and cyber attacks including the NotPetya malware and attacks on the government of Ukraine and on the 2018 PyeongChang Winter Olympic games.
The men were believed to be part of state-sponsored hacking groups with names like “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking,” according to a statement by the DOJ.
How did the U.S. Justice Department follow the tracks from those amorphous attacks to six, Russian men? Our guests this week were among those working behind the scenes to make sense of those attacks and help understand what happened and who was behind them.
Talos had a front row seat in a number of the incidents mentioned in the Department of Justice report, including the NotPetya outbreak , the attacks on Ukraine and the campaign against the 2018 olympics. Craig and Matt joined me in the Security Ledger studio to talk about the DOJ announcement and what goes into the project of identifying and charging foreign hacking groups. We also talk about what it takes to stop and even catch a Russian APT group, and what companies can do to protect themselves from the world’s most elite offensive hackers.
On October 27, 2020, the FBI and the Department of Homeland Security (DHS) warned the health care industry about “an imminent cybercrime threat to U.S. hospitals and healthcare providers.”
According to the warning, which was shared during a conference call, the government has received “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The information was being shared with participants so they can take timely precautions to protect their networks from the threat.
According to KrebsonSecurity, the threat is believed to stem from a Russian cybercriminal gang that may be deploying Ryuk ransomware to more than 400 health care facilities in the U.S. It appears the attack is planned to be coordinated in order to maximize disruption in the health care sector.
Hospitals are urged to confirm that patching of all known vulnerabilities has been completed. Mandiant Solutions has released a list of domains and Internet addresses that have been used by Ryuk in the past in order to assist hospitals with identifying known methods used to infiltrate systems.
Based upon these warnings, hospitals and health care providers may wish to consider prioritizing patching and blacklisting the known domains and Internet addresses used by Ryuk today.