From Capitol Hill, the House of Representatives passed the Senate’s bipartisan $1 trillion infrastructure bill on a bipartisan 228-to-206 vote. Data Center Knowledge discusses how the $2 billion in the bill targeted at cybersecurity will be spent. The key comment is “The Infrastructure Bill Is the Carrot — The Stick May Come Later.”
In this regard, ZDNet adds that
Four US Senators have introduced a new bipartisan amendment to the [must pass] 2022 National Defense Authorization Act (NDAA) that will force critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.
Two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to push the amendment, which they said was based on Peters and Portman’s Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021.
The amendment only covers confirmed cyberattacks and not ones that are suspected. But it forces all federal contractors to report attacks. There is no fine component in the amendment, one of the many provisions senators had been fighting over for months.
Victim[ized] organizations will have 72 hours to report attacks, another hotly debated topic among government cybersecurity experts. Some wanted it to be within 24 hours and others said it should be within a week.
But the 72 hour limit does not apply to all organizations. Some — which the senators said included businesses, nonprofits and state and local governments — would be forced to report ransomware payments to the federal government within 24 hours of payment being made.
From the federal government technology front —
Cyberscoop reports that “A winning streak of hitting deadlines under President Joe Biden’s ambitious May cybersecurity executive order is widely expected to end Monday [November 8], affecting changes that administration officials have touted most: implementing multifactor authentication and encryption at all civilian federal agencies.”
Cyberscoop adds
The Cybersecurity and Infrastructure Security Agency [CISA] is ordering federal agencies to patch nearly 300 known, exploited vulnerabilities in a directive published Wednesday [November 3].
It’s a change from past practice for Binding Operational Directives from the Department of Homeland Security’s main cyber wing. The orders have focused more frequently on one major vulnerability at a time, or have directed agencies to set up broader policies addressing subjects like establishing vulnerability disclosure programs. As rationale, the agency pointed to issues in Microsoft Exchange technology that suspected Chinese hackers seized upon to target victims worldwide in early 2021.
Under the order, agencies must patch vulnerabilities from a CISA-created catalog by dates that range from two weeks for flaws observed this year to six months for those prior. Further, agencies must build a process for fixing such vulnerabilities on an ongoing basis in the future.
The Wall Street Journal explains
Many of the cybersecurity gaps outlined in a new White House directive that calls on federal agencies to patch hundreds of online vulnerabilities stem from the government’s aging computer systems, current and former federal tech chiefs, lawmakers and industry analysts say.
But ongoing efforts to upgrade these systems tend to get bogged down by budget restrictions, chronic talent shortages and a revolving door of agency information-technology leaders.
As a result, some of the vulnerabilities listed in the directive, issued by the Biden Administration Wednesday, date back years in older versions of software from Microsoft Corp. and other large technology firms. Agencies that haven’t continually upgraded these and other apps may lack protections needed to ward off the kinds of organized, sophisticated and widespread attacks that have crippled public- and private-sector systems in recent years.
Also Cyberscoop notes that
The Biden administration is working on an executive order that spells out the responsibilities of myriad top cybersecurity officials in the federal government, National Cyber Director Chris Inglis said Wednesday. Specifically, the idea would be to solidify the position of his office, only established by law in January, Inglis told the House Homeland Security Committee.
From the defense contractor front, Nextgov informs us that
The Defense Department is significantly scaling back a program it rolled out last year to validate the cybersecurity of its suppliers through third-party audits and is halting its implementation until the changes are official.
The program was supposed to be implemented over a five-year period with the ultimate goal of requiring every defense contractor in possession of certain controlled but unclassified information to obtain a certificate from a third-party assessor indicating their adherence to the Cybersecurity Maturity Model Certification standard. A number of programs within DOD were selected to pilot the program this year. Now, the Pentagon says it is looking to streamline the program—into CMMC 2.0—and make it more collaborative with industry in two new rulemakings through the Code of Federal Regulations.
“Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” reads a notice set to publish Friday in the Federal Register. “The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.”
At the heart of CMMC was an assertion by Pentagon officials that the current system of allowing defense contractors to self-attest, or simply pledge, their adherence to cybersecurity standards outlined by the National Institute of Standards and Technology is not working. The officials pointed to continued theft of intellectual property by Chinese nation-state actors as their chief indicator.
In preventive steps news, Health IT Security tells us that
Healthcare organizations can have the most sophisticated internal security protocols, but failing to assess third-party risk may leave organizations vulnerable to data breaches nonetheless.
Threat actors are increasingly using third-party business associates as entry points into customer networks. Once inside the network, the malicious hackers may be able to encrypt files, access sensitive health data, and deploy ransomware on any organization that the associate does business with.
Hackers using third-party entities as an attack vector became a very prevalent threat in July 2021, when REvil threat actors launched a ransomware attack against IT management software company Kaseya and compromised the data of over 1,500 of its customers.
According to Jeremy Huval, HITRUST’s chief innovation officer, the Kaseya attack signaled an increase in impactful and frequent supply chain cyberattacks and underscored the need for better third-party risk management procedures.
Last but not least here is a link to the Bleeping Computer’s latest The Week in Ransomware.
The FBI issued advisories this week warning that HelloKitty has added DDoS attacks to their arsenal, that ransomware gangs commonly conduct attacks “during time-sensitive financial events,” and that gangs are targeting tribal-owned businesses, including casinos.