From the cybersecurity policy front —
Federal News Network tells us
Federal cybersecurity leaders are looking forward to a major update for the National Institute of Standards and Technology’s Cybersecurity Framework, as NIST aims to add new details on governance, supply chain risks and more to a document that guides the cybersecurity practices of many organizations.
NIST released the original framework in 2014 and last updated the document in 2018. It began gathering feedback on the shift to “CSF 2.0” through a request for information last February, and hosted an initial workshop on the new framework in June.
Last month, NIST published a concept paper laying out some of the initial planned changes. Comments on the paper are due March 3. NIST plans to have a draft of CSF 2.0 ready by this summer, before releasing a final version in early 2024.
During a Wednesday workshop hosted by the standards agency, CISA Director Jen Easterly applauded NIST’s work to update the framework. She reiterated a recent push from CISA for the technology community to focus on “product safety and “the idea that software and hardware must be secure by design and secure by default,” adding that NIST’s work on the framework is an important element in that endeavor.
Federal News Network adds
The Social Security Administration is getting $23.3 million from the Technology Modernization Fund to implement multifactor authentication across its internal systems, part of a trio of recent TMF awards focused on cybersecurity and reliability.
The TMF announced three new investments today for SSA, the Treasury Department and the U.S. Agency for Global Media (USAGM).
USAGM is getting $6.2 million from the TMF to implement a zero trust architecture across its global network. * * * Other agencies to receive zero trust architecture funding from the TMF, include USAID, the Office of Personnel Management, the Education Department, and the General Services Administration.
Cyberscoop informs us
The U.S. government is stepping up its effort to combat threats from foreign technology investments, data acquisition and cyberattacks with a new collaboration between the Departments of Justice and Commerce, Deputy Attorney General Lisa Monaco said Thursday.
Speaking at the Chatham House in London as part of a conversation on disruptive technologies by nation states and malign actors, Monaco announced the “Disruptive Technology Strike Force,” to fight the ability of autocrats seeking “tactical advantage through the acquisition, use, and abuse of disruptive technology, innovations that are fueling the next generation of military and national security capabilities.”
Venture Beat identifies five cybersecurity trends for 2023:
- Credential phishing remains the hackers’ go-to;
- Omnichannel cyberattacks increase risks;
- Cyber insurance coverage requirements grow;
- AI’s role in threat protection matures, and
- Cybersecurity must be flexible to meet threats.
Speaking of cyber insurance, the Advisory Council of Employee Welfare and Pension Plans issued a report on Cybersecurity Insurance and Employee Benefit Plans.
From the cyber threats front —
- The Health and Human Services Office for Civil Rights shared “two Reports to Congress for 2021, on
- These reports, delivered to Congress today, may benefit regulated entities to assist in their HIPAA compliance efforts. The reports also share steps OCR took to investigate complaints, breach reports, and compliance reviews regarding potential HIPAA rule violations. The reports include important data on the numbers of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.”
- The Cybersecurity and Infrastructure Security Agency added four known exploited vulnerabilities to its catalog on February 14, 2023, and one more on February 16, 2023. Bleeping Computer discusses February 14, 2023, additions.
- The Healthcare Sector Cybersecurity Coordination Center produced a Healthcare Sector DDoS Guide:
- “Distributed Denial of Service (DDoS) attacks have the potential to deny healthcare organizations and providers access to vital resources that can have a detrimental impact on the ability to provide care. In healthcare, disruptions due to a cyber-attack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software-based medical equipment, and websites to coordinate critical tasks. (See HC3 Analyst Note titled: Pro- Russian Hacktivist Group ‘Killnet’ Threat to HPH Sector). Link can be found here.
- “Threat actors utilize DDoS attacks due to the cost-effectiveness and relatively low resources and technical skills needed to deploy this type of attack as a hacker doesn’t have to install any code on a victim’s server. Moreover, DDoS attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate as cyber criminals take advantage of the sheer number of insecure internet-connected devices. (Analyst Comment: It is strongly recommended by cybersecurity institutions, like the National Institute of Standards and Technology, that organizations effectively manage the cybersecurity and privacy risks associated with Internet-of-Things (IoT)). (See NIST Report (NISTIR) – 8228). Link can be found here.”
Health IT Security discusses this guide here.
- Ars Technica reports
One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere.
Community Health Systems of Franklin, Tennessee, said in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product Fortra licenses to large organizations. The filing said that an ongoing investigation has so far revealed that the hack likely affected 1 million individuals. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information.
From the cybersecurity defenses front —
- Cyberscoop fills us in on the benefits of proactive cyber threat protection.
- Venture Beat explains how to use blockchain to prevent data breaches.
- The Wall Street Journal discusses “How Companies Can Minimize the Cybersecurity Risk From Their Tech Vendors.”
- Set up a rigorous review process when hiring vendors;
- Spell out expectations in vendor agreements, including how data will be shared;
- Hire internal assessors to regularly brief directors on vendor cybersecurity programs and vulnerabilities;
- Carefully guard access to company data from the vendors, and
- Empower the chief information security officer and bring security expertise to boards.