From the cyberpolicy front —
Cyberscoop reports
The Government Accountability Office said Thursday that U.S. federal departments have implemented just 40% of the cybersecurity recommendations the watchdog agency has issued since 2010.
The lethargic pace in which government agencies put in place cybersecurity precautions and best practices underlines the need for the Biden administration to “urgently” release a comprehensive national cybersecurity strategy with effective oversight, the GAO said in its report.
The GAO said that the updated national cybersecurity strategy, which the administration is reportedly planning to release soon, should address key “desirable characteristics of national strategies” such as performance measures that was missing in President Trump’s 2018 cybersecurity strategy.
“We stressed that moving forward, the incoming administration needed to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics,” the report noted.
The GAO noted that only about 145 of its 335 recommendations have been put in place. The agency recommended such actions establishing the national cyber director and the General Service Administration updating their security plans.
The Cybersecurity and Infrastructure Security Agency released a report on 2022 year in review. Health IT Security examines the CISA report from the standpoint of the healthcare sector.
The FEHBlog noticed that two Federal Acquisition Regulation proposed rules that he has been tracking are now pending review at OMB’s Office of Information and Regulatory Affairs.
DOD/GSA/NASA (FAR)
AGENCY: FAR RIN: 9000-AO34 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: Yes
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: NoneAGENCY: FAR RIN: 9000-AO35 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: No
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None
Should these regulations clear OIRA review, then the next step will be published in the Federal Register.
From the cyberbreach front,
Cybersecurity Dive reports
T-Mobile on Thursday said a threat actor accessed personal data on about 37 million current customers in an intrusion that went undetected since late November.
The wireless network operator identified the malicious activity on Jan. 5 and during a subsequent investigation determined the unauthorized access began on or around Nov. 25, the company said in a filing with the Securities and Exchange Commission.
T-Mobile said it was able to trace the source of the malicious activity to an application programming interface and stop it with the help of cybersecurity consultants.
This incident marks the eighth publicly acknowledged data breach at T-Mobile since 2018, including a massive data breach in August 2021 that exposed personal data of at least 76.6 million people.
The investigation is ongoing, but T-Mobile said there is no evidence its systems or network were breached during the incident.
From the cyber vulnerabilities front —
Cybersecurity Dive reports
- Potential cyber incidents and business interruption remained the two leading worldwide corporate risk concerns for the second year in a row, according to a report published Tuesday by Allianz Group’s corporate insurance unit, Allianz Global Corporate & Specialty.
- Both cyber and business interruptions were the top concerns among 34% of respondents in the annual Allianz Risk Barometer. The study measured the responses of 2,712 risk management experts in 94 countries and territories, including CEOs, risk managers, brokers and other insurance experts.
- Respondents were concerned about a range of potential incidents, from ransomware to data breaches and IT outages. The report noted ransomware remains a frequent threat and cited IBM data showing the average cost of a data breach hit a record of $4.35 million, with the cost expected to surpass $5 million this year.
Health IT Security tells us
Cloud security concerns settled into the number five spot on ECRI’s list of “Top 10 Health Technology Hazards for 2023,” a report that the organization has released annually for the past 16 years. ECRI is a nonprofit organization that focuses on healthcare technology and safety.
The organization’s annual health tech hazards list is compiled by a team of clinicians, healthcare management experts, and biomedical engineers. Last year, ECRI identified cyberattacks as the number one health tech hazard.
CISA added one more known exploited vulnerability to its catalog.
The Healthcare Sector Cybersecurity Coordination Center issues three reports this week:
- Healthcare Cybersecurity Bulletin for Q4 2022 “Ransomware attacks, data breaches, and often both together, continued to be prevalent attacks against the health sector,” the bulletin notes. “Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”
- December Vulnerabilities of Interest to the Health Sector “In December 2022, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Intel, Cisco, SAP, Citrix, VMWare, and Fortinet.”
- Artificial Intelligence and Its Current Potential to Aid in Malware Development Artificial intelligence (AI) has now evolved to a point where it can be effectively used by threat actors to develop malware and phishing lures. While the use of AI is still very limited and requires a sophisticated
user to make it effective, once this technology becomes more user-friendly, there will be a major paradigm shift in the development of malware. One of the key factors making AI particularly dangerous for the healthcare sector is the ability of a threat actor to use AI to easily and quickly customize attacks against the healthcare sector.
In this regard CSO offers a feature on how ChatGPT changes the phishing game. “The Microsoft-backed free chatbot is improving fast and can not only write emails, essays but can also code. ChatGPT is also polyglot and that could facilitate and increase exponentially phishing attacks.” Wonderful.
From the ransomware front —
- An ISACA expert explains why ransomware looms large on the third party risk landscape. “As adoption of cloud datacenters and software as a service grows, so does reliance on complex and global supply chains that introduce a multitude of potential vulnerabilities that can be exploited by cybercriminals. In this blog post, we will explore some key strategies for identifying and mitigating supply chain risks, with a special emphasis on ransomware risks in the supply chain.”
- Bleeping Computer’s The Week in Ransomware covers several ransomware topics this week.
- In Cybersecurity Dive, a ransomware negotiator shares three tips for victim organizations.
- Dark Reading adds “in another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.”
From the cyber defenses front, Tech Republic explains that while the cybersecurity implications of ChatGPT are vast, especially for email exploits, putting up guardrails, flagging elements of phishing emails that it doesn’t touch and using it to train itself could help boost defense. Ah, a double edged sword.