From Capitol Hill, Roll Call informs us
The Senate voted overwhelmingly Thursday to pass the final defense authorization bill for fiscal 2023, clearing the sweeping measure for President Joe Biden’s signature.
If Biden signs the NDAA into law, as he is expected to do, it would be the 62nd straight fiscal year that the defense policy measure has been enacted.
The Senate’s final NDAA passage vote was 83-11, and 60 votes were required. The House passed the bicameral compromise on Dec. 8.
Of note to FEHB carriers in the bill, as noted last week, is the Chinese-made semiconductor provision. The law requires a FAR rule to implement the provision within three years, and the FAR rule cannot take effect until December 2027, five years after enactment, which will occur when the President signs the bill.
The New York Times adds
The Biden administration on Thursday stepped up its efforts to impede China’s development of advanced semiconductors, restricting another 36 companies and organizations from getting access to American technology.
The action, announced by the Commerce Department, is the latest step in the administration’s campaign to clamp down on China’s access to technologies that could be used for military purposes and underscored how limiting the flow of technology to global rivals has become a prominent element of United States foreign policy. * * *
Among the most notable companies added to the list is Yangtze Memory Technologies Corporation, a company that was said to be in talks with Apple to potentially supply components for the iPhone 14.
On Thursday, Congress passed a military bill including a provision that will prevent the U.S. government from purchasing or using semiconductors made by Y.M.T.C. and two other Chinese chip makers, Semiconductor Manufacturing International Corporation and ChangXin Memory Technologies, because of their reported links to Chinese state security and intelligence organizations.
The Wiley law firm helpfully offers details on this important provision.
From the cyber vulnerabilities front —
The Cybersecurity Infrastructure and Security Agency (CISA) added five known exploited vulnerabilities and then one more to its catalog.
Healthcare Dive reports
The HHS’ Office of Information Security has released a report looking at the implications of automation for healthcare cybersecurity and how criminals are using artificial intelligence in their hacking activities.
Cyberattackers are using AI to build better malware, the office said. The technology includes machine learning-enabled penetration testing tools, AI-supported password guessing and data to enable impersonation on social networking platforms.
Hackers are also using automated software to identify valuable information such as emails, passwords, credit cards and personal data, according to the report.
The Healthcare Sector Cybersecurity Coordination Center issued this sector alert:
Citrix released patches for a vulnerability that impacts both their Application Delivery Controller and Gateway platforms. This vulnerability allows a remote attacker to completely compromise a target system. These vulnerabilities are known to be actively exploited by a highly capable state-sponsored adversary. Furthermore, the Department of Health and Human Services is aware of U.S. healthcare entities that have already been compromised by the exploitation of this vulnerability. HC3 strongly urges all healthcare and public health organizations to review their inventory for these systems and prioritize the implementation of these patches.
Forbes explains “Why Employee-Targeted Digital Risks Are The Next Frontier Of Enterprise Cybersecurity.”
From the ransomware front —
Bleeping Computer’s The Week in Ransomware has a long introduction which begins
To evade detection by security software, malware developers and threat actors increasingly use compromised code-signing certificates to sign their malware.
This trend was illustrated this week when Microsoft disclosed during the December Patch Tuesday that developer accounts were compromised to sign malicious, kernel-mode hardware drivers in the Windows Hardware Developer Program.
Health IT Security reports
The HHS Health Sector Cybersecurity Coordination Center (HC3) issued two new analyst notes detailing the tactics and indicators of compromise for LockBit 3.0 and BlackCat. The LockBit ransomware family and the BlackCat ransomware variant have been observed targeting the healthcare sector.
Healthcare organizations should remain vigilant and apply recommended mitigations to reduce risk.
CISA released an update to its Cuba ransomware advisory.
From the cybersecurity defenses front
- Health IT Security tells us
Organization executives are doubling down on investments toward cybersecurity reliance as an uptick in data security breaches jeopardizes business operations and overwhelms industries, including the healthcare sector, according to a recent Cisco report.
The “Security Outcomes Report, Volume 3: Achieving Security Resilience” revealed that 96 percent of executives consider security resilience crucial, with 62 percent of organizations surveyed reporting a data security event that impacted business in the past two years.
When asked to elaborate on the types of resilience-impacting incidents, over half the respondents reported data breaches and system outages. Further, ransomware events and distributed denial of service (DDoS) attacks impacted more than 46 percent of surveyed organizations.
The report also indicated that the state of security resilience among organizations is mixed less than 40 percent confident their organization would fare well during a cybersecurity event.
- Forbes identifies ten qualities of a good security program and delves into “Tackling Mental Health And Burnout In Cybersecurity.”