Today is the 113th anniversary of the birth of President Abraham Lincoln who, in the FEHBlog’s opinion, is the best President our Nation ever had.
From the federal legislative and regulatory proposals front —
Nextgov tells us
[On February 8, 2022] Leaders of the Homeland Security and Governmental Affairs Committee introduced the Strengthening American Cybersecurity Act bundling provisions they view as crucial in the wake of vulnerabilities like one found in open-source software library log4j, but couldn’t get over the finish line in previous attempts.
“This landmark, bipartisan legislative package will provide our lead cybersecurity agency, [the Cybersecurity and Infrastructure Security Agency], with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches,” Committee Chairman Gary Peters, D-Mich., said in a press release Tuesday. “Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly, while ensuring these systems, and the information they store, are secure.”
Health IT Security adds that also last week, “US Senators Tammy Baldwin (D-WI) and Bill Cassidy (R-LA) introduced the Health Data Use and Privacy Commission Act intending to modernize health data privacy laws to reflect the current tech landscape. * * * If passed, the act would establish a commission to review existing health data protections and assess current practices for health data use. The commission, whose members would be appointed by the Comptroller General, would also submit a report to Congress and the President six months after formation with recommendations on modernizing health data privacy.”
Evidently, in furtherance of this legislative proposal, AHIP announced its “core guiding priorities and a detailed roadmap to further protect the privacy, confidentiality, and cybersecurity of consumer health information.”
Reginfo.gov tells us that the Office of Management and Budgets’ Office of Information and Regulatory Affairs has received for its review the following: “HIPAA Rules: Request for Information on Sharing Civil Money Penalties or Monetary Settlements With Harmed Individuals, and Recognized Security Practices Under HITECH.” As the HITECH Act of 2009 asked the Department of Health and Human Services to issue such a rule, this RFI falls into the better late than never category.
From the Apache Log4j vulnerability front, Cybersecurity Dive reports
Apache Software Foundation President David Nalley on Tuesday told the Senate Homeland Security & Government Affairs Committee it could take months, or even years, to fully eliminate the Log4j vulnerability.
Every stakeholder in the software industry, especially the federal government and major customers, should be investing in supply chain security, Nalley said. He endorsed efforts like the software bill of materials (SBOM), but said the legislation won’t prevent vulnerabilities, only uncover them more quickly.
Sen. Alex Padilla, D-Calif., raised questions over whether there is a “free rider” problem where large companies benefit from open source contributors, while providing very little compensation in return.
Another Cybersecurity Dive article explains
Security flaws in free and open-source software (FOSS) will be a recurring source of cyber risk, Moody’s Investors Service found. It could take organizations three to five years to fully resolve issues related to the Log4j vulnerability.
Certain industries vary in their ability to respond to vulnerabilities, according to 2021 data from BitSight, a Moody’s partner on cyber issues. The telecommunications industry trails other sectors, remediating only 29% of critical vulnerabilities within 90 days. The legal industry, with the quickest response time, remediated 68% of critical vulnerabilities in the same time frame.
The use of FOSS can save organizations considerable time and funding. But issues remain about the lack of financial support and, due to the voluntary participation of many contributors, developers experience high levels of burnout. * * *
While open source helps organizations save considerable time and effort on development, security concerns must be accounted for, said Sandy Carielli, a principal analyst at Forrester.
“However, the mistake is to assume that you can grab an open source library and then never look at it or update it again,” Carielli said via email. “Organizations need to get better about managing their open source — understanding where it is used and automating updates so that when something like Log4j happens, it’s a blip on the radar and can be remediated with practiced upgrade procedures.”
The Moody’s report follows a January report from Fitch warning about the increased cyber risk of Log4j to public finance entities, including local governments, small utilities and critical infrastructure providers.
From the cybersecurity business front, Cyberscoop informs us
Sustained demand for cybersecurity services and continued innovation across the industry helped 2021 become a record-setting year for deals involving cyber companies, analysts say.
The funding that flowed into cyber companies increased 136% over 2020 levels, to $29.3 billion, up from $12.4 billion the previous year, according to a report published Wednesday by Momentum Cyber, which advises cyber companies on mergers and acquisitions.
Likewise, the total volume of mergers and acquisitions activity reached $77.5 billion, up 294% from calendar year 2020, according to the report.
Several trends are driving those numbers, analysts and executives say: Companies across the economy have expanded their budgets for reliable cybersecurity services, boosting revenues for the industry. In turn, big investors — including private equity groups and venture capitalists — are following that money. And as cyberthreats increase in severity and complexity, smaller firms continue to develop valuable expertise in niche areas of information security.
From the government alert front, the HHS Cybersecurity Program issued an alert last week captioned “Indicators of Compromise Associated with LockBit 2.0 Ransomware and Additional Mitigations.”
Also,
“The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory outlining the growing international threat posed by ransomware over the past year.
“The advisory titled “2021 Trends Show Increased Globalized Threat of Ransomware” outlines top trends seen across three nations including:
- Cybercriminals are increasingly gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting software vulnerabilities.
- The market for ransomware became increasingly “professional” and there has been an increase in cybercriminal services-for-hire.
- More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks.
- Cybercriminal are diversifying their approaches extorting money.
- Ransomware groups are having an increasing impact thanks to approaches targeting the cloud, managed service providers, industrial processes and the software supply chain.
- Ransomware groups are increasingly targeting organizations on holidays and weekends.
“Importantly, today’s Cybersecurity Advisory also lays out mitigations to help network defenders reduce their risk of compromise, appropriate responses to ransomware attacks, and key resources from each respective cyber agency.”
Here is a link to that advisory and, of course, a link to Bleeping Computer’s The Week in Ransomware.
Happy Super Bowl weekend.