From the cybersecurity policy front, Cyberscoop reports on the highlights of the cybersecurity provisions of the bipartisan National Defense Authorization Act that the House of Representatives passed this week and the Senate is expected to pass next week.
The December 7 FEHBlog quote included the following Roll Call quote:
Also of note, the bill would ban contractors across the government from using Chinese-made semiconductors, after a lengthy phase-in period, an aide with knowledge of the provision said Tuesday. Many federal contractors and other businesses say they are unclear how they will comply.
The Cyberscoop article does not treat this provision as a highlight of the bill. The FEHBlog turned to ComputerWorld, which provides more details on this provision —
While the draft legislation still provides for [Chinese made semiconductor] restrictions to be enacted, contractors now have five years to comply with them, rather than the two years stipulated in an earlier version of the proposal, and the language of the new draft leaves room for waivers to the restrictions under certain circumstances.
Cyberscoop adds
There are a few major exclusions in the combined House and Senate versions, too.
[For example,] FedScoop’s John Hewitt Jones reports that the NDAA left out an amendment to codify a software bill of materials, or SBOM, in the federal procurement process. Lawmakers removed it following strong criticism from industry.
That piece of the legislation would have required “all holders of existing covered contracts and those responding to requests for proposals from the U.S. Department of Homeland Security to provide a bill of materials and to certify that items in the bill of materials are free of vulnerabilities or defects,” Hewitt Jones reported.
Health IT Security tells us
Experts gathered in Boston on December 5 and 6 for the HIMSS Healthcare Cybersecurity Forum to explore topics such as risk quantification, clinical perspectives on cybersecurity, and medical device security.
Speakers included leaders from the Health Sector Coordination Council (HSCC), Northwell Health, Forrester, the Federal Bureau of Investigation, the National Institute for Standards and Technology (NIST), and more.
The presentations collectively showed that healthcare cybersecurity experts are well aware of the risks facing the sector. However, more collaboration, communication, and balance are needed to effectively tackle those risks and emerge stronger as an industry.
The Cybersecurity Infrastructure and Security Agency (CISA) offers a readout from the December 6 meeting of its Cybersecurity Advisory Committee:
[CISA] Director [Jen] Easterly led a discussion with committee members on the CSAC’s strategic focus for 2023.
“I truly appreciate the caliber of experts who have taken the time to participate in this committee and, moreover, for their continuous work in helping CISA become the Cyber Defense Agency our nation needs and deserves,” said CISA Director Jen Easterly. “I look forward to working with the Committee in the new year to ensure we are continuing to build a more cyber resilient nation to confront the challenges we face in cyber space.”
“In a time of critical cybersecurity threats, CISA is in a unique position to make a meaningful impact on our Nation’s security,” said the CSAC Chair and Chairman, President & CEO of Southern Company, Tom Fanning. “The Committee members and I look forward to providing strategic recommendations to CISA’s Director Jen Easterly in the coming year to advance CISA’s mission, as they continue to strengthen the cybersecurity posture of the United States.”
From the cyber vulnerabilities front —
HHS’s Health Sector Cybersecurity Coordinating Center (HC3) released the following documents on this topic:
- A presentation titled “Automation and Hacking: Potential Impacts on Healthcare.”
CISA added one more known exploited vulnerability to its catalog.
Cybersecurity Dive looks back at the log4shell cybersecurity crisis that first gained widespread public attention in December 2021.
One year after the disclosure of a critical vulnerability in the Apache Log4j logging utility, the nation’s software supply chain remains under considerable threat as federal authorities and the information security community struggle to transform how it develops, maintains and consumes applications in a more secure fashion.
The vulnerability, dubbed Log4Shell, allowed unauthenticated and untrained threat actors to gain control over applications using a single line of code.
Thus far, many of the initial fears of catastrophic cyberattacks have failed to materialize, but federal authorities warn this constitutes a long-term threat that must be carefully monitored and fully remediated to prevent a major security crisis.
From the ransomware front —
Cybersecurity Dive reports, “Ransomware attacks shift beyond US borders; U.S.-based organizations remain the top target for ransomware gangs, but the scale of that misfortune is waning, according to Moody’s.” Here’s the Moody report on 2023 Global Cyber Risk.
HC3 released an analyst report on Royal ransomware. “Royal is a human-operated ransomware that was first observed in 2022 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.”
The Bleeping Computer’s Week in Ransomware informs us
This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.
Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone’s fears that a ransomware attack caused the outage.
However, today [December 9] they began warning customers to be on the lookout for targeted phishing emails and to monitor their credit reports and banking account statements for suspicious activity. This warning could indicate that the ransomware operation likely stole data in the attack.
From the cyber defenses front —
CISA provides us with
a Phishing Infographic to help protect both organizations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The infographic also provides detailed actions organizations and individuals can take to prevent successful phishing operations—from blocking phishing attempts to teaching individuals how to report successful phishing operations.
ZDNet also discusses how people can identify and deter phishing attacks.
The National Institute of Standards and Technology issued Special Publication (SP) 1800-34, which offers organizations guidance on verifying that the internal components of the computing devices they acquire are genuine and have not been tampered with.