The White House on Friday [April 9, 2021] asked Congress for $110 million in additional funding in [fiscal year] 2022 to help the Department of Homeland Security shore up federal and state defenses in the wake of high-profile hacking operations. The money would allow DHS’s Cybersecurity and Infrastructure Security Agency to improve its defensive tools, hire more experts and “obtain support services to protect and defend federal information technology systems,” Shalanda Young, the acting director of the Office of Management and Budget, wrote in an April 9 letter to congressional appropriators. It would add to a recent $650 million funding boost for CISA that was part of the coronavirus relief package cleared by Congress.
A Security Week columnist ponders what cybersecurity policy changes to expect from the Biden Administration.
As the U.S. transitions to a new presidential administration, which can be expected to differ largely from the last, it is hard not to speculate how President Biden’s Administration will reduce the risk of a major cyberattack against the U.S. or her interests. The recent SolarWinds attack, widely attributed to Russian actors, further amplifies the need for improved security and deterrence. Despite my best efforts to come up with a brilliant “thought leadership” piece on what I think the Biden Administration should do, the best answer has already been written and published in March of 2020 as the 2020 Cyberspace Solarium Commission Report.
Co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R – WI), the bipartisan Cyberspace Solarium Commission proactively scrutinized U.S. cybersecurity in much the same way the 2004 9/11 Commission Report reactively assessed failings within the U.S. Intelligence Community (IC) and offered recommendations for sweeping changes. The Cyberspace Solarium Commission, just as the 9/11 Commission before it, made bold recommendations for significant changes that I believe President Biden will likely use as the blueprint for restructuring how America operates in cyberspace.
The columnist focuses on the Solarium Commission’s recommendations to update the national cybersecurity policy, seat a national cybersecurity director, and improve the pipeline of cybersecurity talent.
Per the FBI, its “Internet Crime Complaint Center (IC3) has released its annual report [for 2020], which includes information from 791,790 complaints of suspected Internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.”
The Wall Street Journal reported last Wednesday that
Data from a 2019 hack of Facebook Inc. was made public in recent days, revealing the phone numbers and personal information of more than a half-billion people. While the data came from a vulnerability of Facebook platforms that the company says it has since fixed, security experts say that scammers could use the information for nefarious purposes like spam email and robocalling.
The hackers began selling the data online to bidders soon after it was accessed. Alon Gol, chief technology officer of the Israeli cybersecurity firm Hudson Rock, said it was initially sold for tens of thousands of dollars, and the price kept dropping until it was recently made available for free on sites like raidforums.com. Hackers often release data for free once it has been circulated long enough, said Zack Allen, senior director of threat intelligence at ZeroFOX, a Baltimore-based cybersecurity company.
[S]ome cybersecurity experts have created sites that allow people to see if their information was contained in data leaks. One such site is haveibeenpwned.com, where you can enter your phone number or email address and see the result. The website, which allows people to check if their information was swept up in different data breaches, was created by Australian web-security consultant Troy Hunt.
The FEHBlog checked his gmail address on this site and he discovered that his email address “pwned” in 14 different breaches since 2012. The FEHBlog has gone the double authentication route with that address. By the way pwn means “especially in video gaming) utterly defeat (an opponent or rival); completely get the better of. “I can’t wait to pwn some noobs in this game.”