Cybersecurity Saturday

Security Week informs us that the infrastructure spending bill currently under U.S. Senate consideration includes

approximately $2 billion to “modernize and secure federal, state, and local IT and networks; protect critical infrastructure and utilities; and support public or private entities as they respond to and recover from significant cyberattacks and breaches.”

The bill, which contains more than 300 occurrences of the words “cyber” and “cybersecurity,” includes the Cyber Response and Recovery Fund, which provides $20 million per year until 2028 for assisting government and private sector organizations respond to cyber incidents.

A total of $550 million has been allocated to enhancing the security of the power grid. Some of the money is for developing solutions to identify and mitigate vulnerabilities, improve the security of field devices and control systems, as well as addressing issues related to workforce and supply chains.

The Washington Post adds that the “Senate Democrats and Republicans cleared another key procedural hurdle Saturday [August 7] on a roughly $1 trillion bill to improve the country’s infrastructure, though disagreements continue to plague lawmakers and prevent the measure’s swift passage.”

Nextgov informs us that

The Cybersecurity and Infrastructure Security Agency will work with agency stakeholders and new private-sector partners to minimize the risk of cyber incidents and better coordinate defensive actions if successful attacks occur under a new effort announced Thursday [August 5].

The Joint Cyber Defense Collaborative, or JCDC, will aim to take a proactive approach to cyber defense in the wake of several high-profile breaches that affected the federal government and public, according to CISA Director Jen Easterly. * * *

Initial industry partners include Amazon Web Services, AT&T, CrowdStrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks and Verizon. * * *

Current government partners in the effort thus far include the Department of Defense, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation and the Office of the Director of National Intelligence. 

Here is a link to the JCDC’s website. The NextGov article indicates that the JCDC’s initial focus will be on ransomware.

According to Bleeping Computer’s The Week in Ransomware

If there is one thing we learned this week, it’s that not only are corporations vulnerable to insider threats but so are ransomware operations.

The LockBit 2.0 ransomware is now trying to recruit corporate insiders to help them breach networks. In return, the insider is promised millions of dollars.

On the flip side, ransomware operations are vulnerable too. Yesterday, after being banned from the Conti ransomware operation, a Conti affiliate leaked the training material for the ransomware operation on the XSS hacking forum, giving security researchers and defenders an inside look at the tools being used by the group.

ZDNet advocates “Constant review of third-party security critical as ransomware threat climbs.”

Cyberscoop reports

The Biden administration backed away from the idea of banning ransomware payments after meetings with the private sector and cybersecurity experts, a top cybersecurity official said Wednesday [August 4].

“Initially, I thought that was a good approach,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at an Aspen Security Forum event. “We know that ransom payments are driving this ecosystem.”

Experts, including former government officials serving on a non-profit ransomware task force, helped shift that view, following high-profile hacks against Colonial Pipeline, the food production company JBS and Kaseya, a Florida-based IT firm. Payments from the Colonial Pipeline and JBS attacks totaled more than $15 million, a number that likely represents a fraction of the funds sent to extortionists.

“We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” she said.

The FEHBlog has registered for a free Public Contract Institute webinar on Data Abduction: Combatting and Limiting Ransomware Risks. Here is a link to the registration page.

Finally this past week the National Institute of Standards and Technology released for public comments draft revisions to existing relevant Standard Publications:

The public comment deadline is October 1, 2021, for SP 800-53 and September 20, 2021 for SP 800-160.