Compromise Cyber Incident Report Bill Derailed
India's joint committee reports on data protection bill; European Council and Parliament announce agreement on Data Governance Act
First, a bit of news. The Wavelength will transition to a paid product, but there will still be a free version available. The scope and shape of this change is still in the making but should be realized by January 2022.
Second, some scheduling matters. The last issue of The Wavelength of 2021 should be probably be on or about 20 December events permitting, of course. Then we would resume in early 2022.
Photo by Icons8 Team on Unsplash
Less than a month ago, cyber incident response legislation seemed well on its way to enactment. The United States (U.S.) House of Representatives had cleared a bill as part of its FY 2022 National Defense Authorization Act (NDAA) (H.R.4350). However some stakeholders in the Senate were at odds on a key facet of the bill. In this Just Security piece, I discussed the main stumbling block among sponsors: how quickly after discovery of a significant cyber incident must sponsors report to the U.S. government? Ultimately, the sponsors of competing bills in the Senate reached agreement and vowed to work together to add it to the Senate’s NDAA However, the compromise NDAA package the Armed Services Committees agreed upon does not have cyber incident legislation nor does it have many of the tech provisions House and Senate proponents had hoped to load onto one of the few reliable legislative vehicles that always gets enacted. Why is this?
Before we get to the post mortem, some background will help. All three of the bills would require critical cyber infrastructure owners and operators to report significant cyber incidents to the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). The theory behind the legislation is that if CISA serves as a clearinghouse and center of analysis for the myriad attacks and threats against the most important U.S. cyber infrastructure, the U.S. can better defend itself. The impetus of the legislation was the apparently successful Russian and Chinese attacks on SolarWinds, Microsoft Exchange, Accellion, and other entities often through supply chains or updates. Conceivably, had one of these entities had an affirmative duty to report such intrusions, upon confirmation they would have duly reported to CISA, which could have then pushed out word to U.S. entities that could have then scoured their own networks, which ideally would limit the damage. It does bear mention that none of the cyber incident reporting bills impose a duty on entities receiving a warning from CISA to act, and absent an existing legal or regulatory requirement to do something (or fear of litigation), such entities may well choose to do little or nothing. This is often seen when patches for widely used systems are not installed in a timely fashion allowing hackers to utilize these publicly acknowledged vulnerabilities. And so, a U.S. government procedure to distribute news of cyber incidents is not a silver bullet, but it is a start.
As mentioned, the House Homeland Security Committee’s bill, the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” (H.R.5440) was added to the NDAA for Fiscal Year 2022 (H.R.4350) during debate in the House, and the package was sent to the Senate by a 316-113 vote (see here for more detail and analysis.) The bipartisan legislation was introduced late in the summer by the Chair and Ranking Member of the House Homeland Security Committee (Representatives Bennie Thompson (D-MS) and John Katko (R-NY)), along with the Chair and Ranking Member of the Committee’s Cybersecurity, Infrastructure, and Innovation Subcommittee (Representatives Yvette Clark (D-NY) and Andrew Gabarino (R-NY)).
Earlier in the summer, Senate Intelligence Committee Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL), and Senator Susan Collins (R-ME) introduced the “Cyber Incident Notification Act of 2021” (S.2407), which tracks closely with the draft bill released in June (see here for more detail and analysis). In their press release, Warner, Rubio, and Collins contended that the “bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.” They added:
§ The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
§ Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
In late summer, after the House Homeland Security Committee had added their bill to the House’s FY 2022 NDAA, the Senate Homeland Security and Governmental Affairs Committee got onto the field with their long awaited “Cyber Incident Reporting Act” (S.2875). Chair Gary Peters (D-MI) and Ranking Member Rob Portman (R-OH) introduced this bill in late September that was marked up on October 6 (see here for more detail and analysis.) This bill also has language requiring all entities to report ransomware payments within 24 hours to CISA as a means of giving the U.S. government more insight into who is paying ransom and likely as a disincentive to pay as it is likely not a good look before the U.S. cyber agency for many companies.
In November, Senators Mark Warner (D-VA), Gary Peters (D-MI), Rob Portman (R-OH), and Susan Collins (R-ME) announced a compromise on cyber incident reporting legislation (see here for more detail on the bills and main impasse) they would offer as an amendment to the Senate’s National Defense Authorization Act (NDAA) for Fiscal Year 2022. In their press release, they stated:
§ The amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021 authored by Peters and Portman, and advanced by the Homeland Security and Governmental Affairs Committee, where they serve as Chairman and Ranking Member, respectively.
§ The amendment would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. Many other organizations, including businesses, nonprofits, and state and local governments, would also be required to report to the federal government within 24 hours if they make a ransom payment following an attack. Additionally, the amendment would update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security, as well as require all civilian agencies to report all cyber-attacks to CISA, and major cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.
In the amendment filed for consideration, Peters, Portman, Warner, and Collins paired the compromise cyber incident reporting bill with the “Federal Information Security Modernization Act of 2021” (S.2902). And, there are some notable changes that go beyond the sponsors’ press release. For example, many federal contractors would be explicitly made covered entities whereas in one of the previous bills, CISA would have determined which are covered entities through a rulemaking with the caveat that federal contractors would at a minimum be deemed covered.
Next, Peters, Portman, Warner, and Collins define what a “significant cyber incident” is, a term not in either the Senate Intelligence nor Senate Homeland Security bills:
a cybersecurity incident, or a group of related cybersecurity incidents, that the Secretary determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.
This language has the potential to make cyber incident determinations a more political issue, for the Secretary of Homeland Security alone could make this call. While the CISA Director is, of course, a political position as well, it has tended to be less political over the last few years whereas recent Secretaries have aligned themselves and their decisions with the White House. Also of note is the “demonstrable harm” requirement that may serve to allow the Secretary to decline to name some incidents as significant that may later prove to have repercussions that were not foreseeable.
Next, instead of establishing a new Cyber Incident Review Office, the bill would task the National Cybersecurity and Communications Integration Center (NCCIC) inside CISA with handling all the incident reporting duties. NCCIC already manages the cyber threat sharing system created in the “Cybersecurity Act of 2015” (P.L. 114-113), so it makes a certain amount of sense to use or expand existing capabilities. This may allow for a smoother implementation, but it may also work against the new scheme, for a number of government reports have cited widespread problems with the cyber threat information NCCIC distributes.
Nonetheless, the reporting window was widened from Warner and Collins’ preferred 24 hours to the Homeland Security Committees’ 72 hour period. The bill mandates that:
[a] covered entity that is a victim of a covered cyber incident shall report the covered cyber incident to the Director not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.
The clock starts running when a covered entity “reasonably believes that the covered cyber incident has occurred.” What will CISA and other agencies do if covered entities will try to define reasonable belief as something closer to actual knowledge or even voluminous confirmation? As we will see later, there is not much in this bill to give the U.S. government much leverage.
Supplemental reports are due to keep CISA updated after an initial incident report is filed. Given this framework, it is seems a bit illogical that policymakers would not create a system that would require covered entities to alert CISA on a much shorter timeline if there is an indication of an incident. Certainly, CISA Director Jen Easterly and National Cyber Director Chris Inglis, two longtime cyber experts with private sector experience, think a 24 hour is feasible.
The bill still has the 24 hour deadline for reporting ransomware payments. To be fair, one possible reason for having a 24 hour deadline for ransomware payments is that it is a completed action and requires no guesswork on whether payment has been transmitted. Not necessarily so for determining if a cyber incident has occurred.
There is still language requiring a cyber incident report to accompany a ransomware payment report if a covered entity pays a ransom, and this would need to be within 24 hours. However, this requirement comes into play only if it is a covered cyber incident.
The timeline for a rulemaking that would establish the new reporting systems and provide definitions for key terms such as covered entity and covered cyber incident will take more time than the previous bills. Under the compromise language CISA could take up to 3.5 years to issue a final rule. This seems at odds with the purported urgency of the issue facing U.S. critical cyber infrastructure. Nevertheless, the final rule “shall be composed of the following elements:
(1) A clear description of the types of entities that constitute covered entities, based on—
(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
(2) A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall—
(A) at a minimum, require the occurrence of—
(i) the unauthorized access to an information system or network with a substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
(ii) a disruption of business or industrial operations due to a cyber incident; or
(iii) an occurrence described in clause (i) or (ii) due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;
(B) consider—
(i) the sophistication or novelty of the tactics used to perpetrate such an incident, as well as the type, volume, and sensitivity of the data at issue;
(ii) the number of individuals directly or indirectly affected or potentially affected by such an incident; and
(iii) potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; and
(C) exclude—
(i) any event where the cyber incident is perpetuated by a United States Government entity, good faith security research, or in response to an invitation by the owner or operator of the information system for third parties to find vulnerabilities in the information system, such as through a vulnerability disclosure program or the use of authorized penetration testing services; and
(ii) the threat of disruption as extortion, as described in section 2201(9)(A).
The Senate Homeland Security Committee’s enforcement regime was grafted onto the compromise, meaning if a covered entity does not submit a cyber incident or ransomware report CISA thinks it ought to, it can ask them to do so. If this is ignored and 72 hours have passed, CISA may issue a subpoena to compel production. If this is ignored, then CISA can ask the U.S. Department of Justice (DOJ) to bring a civil action against the covered entity to enforce the subpoena. DOJ may determine the non-compliance violates other U.S. federal criminal and civil statutes and bring additional actions as well. CISA may refer the matter to the General Services Administration (GSA) if the covered entity is a federal contractor, and GSA could seek to bar this entity from future federal contracts.
There is still language barring U.S. federal, state, local, or tribal governments from bringing regulatory enforcement actions against covered entities solely on the basis of cyber incident or ransomware reports. Consequently, it sounds like such reports may supplement regulatory investigations and enforcement actions based on other sources of information. It bears note the bill seems to distinguish between regulatory and court actions, for in the case of the latter covered entities shall have legal immunity against all suits to the extent they complied with the reporting requirements. The sponsors drove home the point that the liability shield covers only actions that depend only on cyber incident or ransomware reports.
That covers the major provisions of the Senate’s compromise bill.
Well, it appears opposition to language requiring the reporting of all ransomware payments added to one of the Senate bills is purportedly to blame. Multiple sources claim that Senator Rick Scott (R-FL) asked Senate Minority Leader Mitch McConnell (R-KY) to block inclusion of the compromise amendment on these grounds, and some claim Scott worked outside the formal system to place holds on legislation. Reports indicate Scott wanted the ransomware reporting requirements to apply only to critical cyber infrastructure and not all such payments.
Nonetheless, Scott has made his opposition clear to the Senate Homeland Security Committee’s bill during the 6 October markup by offering an amendment to significantly narrow the bill that failed on a party-line vote. A spokesperson for Scott echoed his remarks at the hearing: “He believes another onerous government mandate on businesses is not the answer.” Scott also offered an amendment to the Senate NDAA that would do much the same. In any event, one account claimed that negotiations ran too long, and the NDAA’s sponsors opted to chuck the cyber incident reporting bill along with other technology provisions with the aim of not allowing protracted negotiations delay passage of the annual defense policy bill.
After it was clear a cyber intrusion reporting bill would be left out of the FY 2022 NDAA, fingers began being pointed. Peters asserted “[w]e need urgent action to tackle the serious threat posed by cyber-attacks, and by blocking our bipartisan reforms, Senate Republican leaders are putting our national security at risk.” He vowed that “I’ll continue leading efforts to enact these critical, commonsense reforms and ensure our nation has a comprehensive strategy to fight back against cybercriminals and foreign adversaries who continue targeting our networks.” House Homeland Security Committee Chair Bennie Thompson (D-MS) and the chair of the cybersecurity subcommittee, Representative Yvette Clarke (D-NY), sounded some of the same notes. Thompson and Clarke’s statement could be read as suggesting Senate Republicans intentionally ran out the clock in order to block this legislation from being included in the NDAA. If so, it would not be uncommon to make an issue of a detail in legislation and then to drag out negotiations to the point where moving the bill is no longer possible.
A Scott spokesperson responded that “Senator Scott fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses.” The spokesman added that “[a]fter hearing late on Monday night that a deal had been reached to change the amendment and make Senator Scott’s proposed change, which was supported by CISA, we were surprised and disappointed to see it left out of the NDAA language released by the House.” Not surprisingly, Scott shifted the blame to the Armed Services Committees for leaving the agreed upon compromise language out of the final bill.
Nonetheless, most of these articles quote Members and staff who think a standalone bill on cyber incident reporting could be filed and pass in this Congress.
Other Developments
Photo by Julian Yu on Unsplash
§ India’s Joint Parliamentary Committee completed its report on the “Personal Information Protection Bill 2019,” a step that may clear the way for the nation’s first data protection law. The committee issued its report, a White Paper Of The Committee Of Experts On A Data Protection Framework For India, and a summary.
§ The European Council and the European Parliament announced that they “reached a provisional agreement on a new law to promote the availability of data and build a trustworthy environment to facilitate its use for research and the creation of innovative new services and products.” They asserted:
o The Data Governance Act (DGA) will set up robust mechanisms to facilitate the reuse of certain categories of protected public-sector data, increase trust in data intermediation services and foster data altruism across the EU.
o It is an important component of the European strategy for data, which aims to bolster the data economy, increase wealth and wellbeing, and give Europe a competitive advantage to the benefit of its citizens and businesses.
o The Data Governance Act will create a mechanism to enable the safe reuse of certain categories of public-sector data that are subject to the rights of others. This includes, for example, trade secrets, personal data and data protected by intellectual property rights. Public-sector bodies allowing this type of reuse will need to be properly equipped, in technical terms, to ensure that privacy and confidentiality are fully preserved.
o In this respect, the DGA will complement the Open Data Directive from 2019, which does not cover such types of data.
o Exclusive arrangements for the reuse of public-sector data will be possible when justified and necessary for the provision of a service of general interest. The maximum duration for existing contracts will be 2.5 years and for new contracts 12 months.
o The Commission will set up a European single access point with a searchable electronic register of public-sector data. This register will be available via national single information points.
§ United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released a statement on the “log4j” vulnerability and asserted the agency “is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library.” Easterly said:
o This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.
o CISA recommends asset owners take three additional, immediate steps regarding this vulnerability:
§ 1. Enumerate any external facing devices that have log4j installed.
§ 2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
§ 3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
§ The Australian Cyber Security Centre (ACSC) published an alert on the “Critical remote code execution vulnerability found in Apache Log4j2 library.” The ACSC deemed this alert critical and explained:
o Background /What has happened?
o A remote code execution vulnerability has been identified in Apache Log4j2 library, one of the most widely used Java-based logging utilities globally, via a security blog post.
o Proof-of-concept code to exploit this vulnerability is publicly available on GitHub.
o Due to widespread use in popular frameworks a large number of third-party apps may also be vulnerable to exploits.
o The ACSC is aware of scanning in attempts to locate vulnerable servers.
o Mitigation / How do I stay secure?
o Australian organisations who utilise Apache Log4j2 versions prior to 2.15.0 should review their patch level and update to the latest available version.
§ The United States (U.S.) Federal Trade Commission (FTC) and Department of Justice (DOJ) issued a joint statement with the United Kingdom’s (UK) Competition and Markets Authority (CMA) after “the Competition Enforcers Summit, which took place under the 2021 G7 Digital and Technology Track in connection with the UK’s G7 presidency.” The agencies stated:
o This week’s Competition Enforcers Summit underscored the similar challenges we face as enforcement agencies. Our meetings highlighted the close relationship among our agencies, underscored that we each view this relationship as a critical element of our respective enforcement programs, and affirmed our intent to strengthening collaboration and coordination with one another.
o New and evolving challenges require us to innovate in how we accomplish our missions. And in today’s global economy, our agencies often review the same mergers or confront similar potentially anticompetitive conduct. Given the many parallel investigations, we are committed to working closely together to promote fully informed decision-making and to facilitate best practices on pursuing effective remedies. We also welcome working with other agencies both individually and collectively.
o We share common goals and are dedicated to close and regular engagement both on the agency head and staff level, as priorities and resources allow. Deeper recognition of our common cause of tackling anticompetitive conduct and mergers opens up possibilities for us to implement robust cross-border enforcement regimes and achieve success in ways that would elude individual agencies working alone.
§ Australia, Denmark, Norway, and the United States issued a joint statement “on the Export Controls and Human Rights Initiative.” They pledged:
o Over the coming year of action, we commit to working to establish a voluntary, nonbinding written code of conduct around which like-minded states could politically pledge, to use export control tools to prevent the proliferation of software and other technologies used to enable serious human rights abuses. In addition, we will use the year of action to consult with industry and academia in our efforts.
§ New Zealand’s Office of the Privacy Commissioner (OPC) issued a report “Privacy Breach Reporting” that “analyses the types of privacy breaches being reported and is driving the Office’s new compliance and enforcement activities.” The OPC asserted:
o Since reporting of serious privacy breaches became a legal requirement, OPC has seen a nearly 300% increase in privacy breach reporting compared to the same 11-month period the year before.
o Human error has been the leading cause of serious privacy breaches during this period (61 percent), with email error accounting for over a quarter of those breaches. Other types of privacy breaches in the human error reporting were accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, postal and courier errors.
§ The United States (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) is asking for “public comments regarding areas and priorities for U.S. and EU export control cooperation to help inform the work of the U.S-EU Trade and Technology Council (TTC) Export Control Working Group.” BIS added that “[c]omments should address ways in which existing U.S. and/or European Union dual-use export control policies and practices may be more transparent, more efficient and effective, more convergent, and fit for today's challenges, in particular with regards to the control of emerging technologies.”
§ The United States (U.S.) Department of Commerce’s National Telecommunications and Information Administration (NTIA) explained in a public notice it “will host broadband grant program public virtual listening sessions in connection with the five new broadband grant programs authorized and funded by the Infrastructure Investment and Jobs Act: The Broadband Equity, Access, and Deployment Program; the Enabling Middle Mile Broadband Infrastructure Program; and the Digital Equity Act Programs, which include the State Digital Equity Planning Grant Program, State Digital Equity Capacity Grant Program, and Digital Equity Competitive Grant Program.” NTIA added that “[t]hese public virtual listening sessions are designed to collect stakeholder input to help inform program development and implementation.”
§ The United States (U.S.) Senate passed the “Better Cybercrime Metrics Act” (S.2629) by unanimous consent, sending the bill to the House. According to an August 2021 press release, primary sponsor Senator Brian Schatz (D-HI) stated:
o The Better Cybercrime Metrics Act will give law enforcement a clearer picture of online crimes in the United States by requiring the FBI to integrate cybercrime incidents into its current reporting streams to better understand all the types of crime that Americans face. As cybercriminals continue to target vulnerable populations, this data will help lawmakers make an informed case for policy changes to curtail the cybercrime wave, keep Americans safe, and bring these criminals to justice.
o The Better Cybercrime Metrics Act will:
§ Require the FBI to report metrics on cybercrime and cyber-enabled crime categories, just as they do for other types of property crime;
§ Encourage local and federal law enforcement agencies to report incidents of cybercrime in their jurisdictions to the FBI;
§ Authorize a study at the National Academies of Science to create a taxonomy for cybercrime incidents in consultation with federal, state, local, and tribal stakeholders, criminologists, and business leaders that would inform the FBI’s reporting of cybercrime and cyber-enabled crime; and
§ Require the Bureau of Justice Statistics at the Department of Justice and the Census Bureau to include questions related to cybercrime and cyber-enabled crime as part of its annual National Crime Victimization Survey.
§ The United States (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) issued a final rule to amend the Export Administration Regulations (EAR) “by adding twenty-seven entities to the Entity List.” BIS stated that “[t]hese twenty-seven entities have been determined by the U.S. Government to be acting contrary to the national security or foreign policy interests of the United States.” The BIS said that “[t]hese entities will be listed on the Entity List under the destinations of the People's Republic of China (China), Japan, Pakistan, and Singapore.” BIS continued with “[t]his rule also revises one existing entry on the Entity List under the destination of China, adds addresses under the destination of Taiwan for a listed entity, and corrects an entry under the destination of China…[and] amends the EAR by adding one entity to the Military End-User (MEU) List under the destination of Russia.”
§ The Strategic Organizing Center filed a complaint with the United States (U.S.) Federal Trade Commission (FTC) “alleging Amazon.com, Inc. (Amazon) is unlawfully deceiving millions of consumers by failing to “clearly and conspicuously” disclose which of its search engine results are paid advertisements rather than “organic” search results in violation of Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. §45 (a).”
Further Reading
§ “Operation Whistle Pig: Inside the secret CBP unit with no rules that investigates Americans” By Jana Winter — yahoo! news. It was almost 10 p.m. on a Thursday night, and Ali Watkins was walking around the capital following instructions texted by a stranger. One message instructed her to walk through an abandoned parking lot near Washington, D.C.’s Dupont Circle, and then wait at a laundromat. Then came a final cryptic instruction: She was to enter an unmarked door on Connecticut Avenue leading to a hidden bar.
§ “Keeping the Wrong Secrets: How Washington Misses the Real Security Threat” By Oona Hathaway — Foreign Affairs — The United States keeps a lot of secrets. In 2017, the last year for which there are complete data, roughly four million Americans with security clearances classified around 50 million documents at a cost to U.S. taxpayers of around $18 billion.
§ “That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part” By Elizabeth Elkin and Deena Shanker — Bloomberg. The cream cheese shortage wreaking havoc on bagel shops and bakeries is, in part, due to a cyberattack on the biggest U.S. cheese manufacturer. Schreiber Foods in Wisconsin, which makes cheese slices for most of the top burger chains in America and has a cream cheese business rivaling Kraft’s, closed for days in October after hackers compromised its plants and distribution centers. While that may not sound like a long time, the company is big enough that the lost production shook U.S. markets.
§ “Google Tells Specific Apps to Disclose Location Gathering or Be Removed” By Joseph Cox — Vice. Google has sent a wave of warnings to specific Android app developers telling them to be much clearer with how they collect and process location data or face being removed from the Play Store entirely, Motherboard has learned. Google targeted apps that it believes worked with a company called Huq, which collects granular location data from ordinary smartphone apps and then sells products based on that to various industries. Google appears to have removed some offending apps too.
§ “Deepfake video of Jacinda Ardern smoking crack highlights sinister technology” By Rohan Smith — News AU. When a video purporting to show New Zealand Prime Minister Jacinda Ardern smoking drugs surfaced on social media in recent months, experts quickly dismissed it as a fake. The video, which was viewed and shared thousands of times, showed a woman smoking from what appeared to be a crack pipe. The PM’s face had been superimposed using artificial intelligence. But the video, created for YouTube, was convincing enough to the many who shared it. It was the latest example of how disturbingly authentic-looking videos can blur the lines between reality and fantasy.
§ “US, Australia and Japan to Fund Undersea Cable in the Pacific” — Voice of America. The United States, Australia and Japan said Sunday they will jointly fund the construction of an undersea cable to boost internet access in three tiny Pacific countries, as the Western allies seek to counter rising Chinese influence in the region. The three Western allies said they would develop the cable to provide faster internet to Nauru, Kiribati and the Federated States of Micronesia.
§ “China builds undersea cable bases amid digital infrastructure rivalry” By Laura Zhou — South China Morning Post. China is to build two bases to maintain undersea cables in the East China and South China seas as part of efforts to bolster its digital infrastructure, which has emerged as a new front in its geopolitical competition with the United States. Under the government’s five-year plan for the information and communication industry, China is also seeking to build two more specialist ships for undersea cable maintenance in the next five years “to establish an internationally competitive capability in the construction and maintenance of submarine cables”. The plan does not give details of the two bases’ operations, but says they will be located in the East China and South China seas.
§ “FBI Document Says the Feds Can Get Your WhatsApp Data — in Real Time” By Andy Kroll — Rolling Stone. As Apple and WhatsApp have built themselves into multibillion-dollar behemoths, they’ve done it while preaching the importance of privacy, especially when it comes to secure messaging. But in a previously unreported FBI document obtained by Rolling Stone, the bureau claims that it’s particularly easy to harvest data from Facebook’s WhatsApp and Apple’s iMessage services, as long as the FBI has a warrant or subpoena. Judging by this document, “the most popular encrypted messaging apps iMessage and WhatsApp are also the most permissive,” according to Mallory Knodel, the chief technology officer at the Center for Democracy and Technology.
§ “IMF, 10 countries simulate cyberattack on global financial system” By Steven Scheer — Reuters. Israel on Thursday led a 10-country simulation of a major cyberattack on the global financial system in an attempt to increase cooperation that could help to minimise any potential damage to financial markets and banks. The simulated "war game", as Israel's Finance Ministry called it and planned over the past year, evolved over 10 days, with sensitive data emerging on the Dark Web. The simulation also used fake news reports that in the scenario caused chaos in global markets and a run on banks.
§ “DOD CIO updating cyber reciprocity guidance after audit finds weaknesses” By Billy Mitchell — fedscoop. The Department of Defense said it will take steps to strengthen reciprocity guidance for IT systems security authorization after the department’s inspector general found its existing processes to be lacking. In an audit published Tuesday, the DOD IG found that the department’s CIO did not oversee components’ reciprocity efforts as required by the DOD Risk Management Framework (RMF). Instead, the CIO looked to the components themselves “to manage the system authorization process and use reciprocity to maximize the reuse of testing and assessments results developed during prior system authorizations,” the audit says.
§ “Honeywell-backed company to sell super secure quantum encryption key” By Jane Lanhee Lee — Reuters. Quantum computer software firm Cambridge Quantum said on Tuesday it was launching a platform that can generate super secure cryptographic keys and sell them as a commercial product. The UK-based startup this year became a wholly owned subsidiary of Quantinuum, a quantum computer hardware and software company in which Honeywell International Inc has a 54% stake.
§ “Ransomware attack on Australian utility claimed by Russian-speaking criminals” By Joseph Menn — Reuters. One of the most prolific Russian-speaking ransomware gangs has claimed credit for a weekend attack on an Australian electric utility serving millions of people. Australian media reported on Monday that Chinese government hackers were behind the breach at CS Energy, which is owned by the Queensland state in northeast Australia.
§ “Canadian police arrest Ottawa resident for ransomware attacks” By Catalin Cimpanu — The Record. Canadian police have detained an Ottawa resident for his alleged role in orchestrating ransomware attacks against private companies and government agencies in Canada and the US since 2018. Matthew Philbert, 31, of Ottawa, was detained last week, on November 30, as part of Operation CODA. He was formally charged today in both Canada and the US. According to a press conference today, Philbert is believed to have worked with an international cybercrime group to infect organizations with malware via phishing emails.
§ “Israel Exports Arms Endangering Human Rights Because It Serves Our Interests, Top Defense Official Admits” By Avi Bar-Eli — Haaretz. It’s been nearly five months since the last scandal involving the cyber offense firm NSO Group. In the time since, it has become abundantly clear that it was one scandal too many.
Coming Events
Photo by Samuel Pereira on Unsplash
§ 14 December
o The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting with this agenda:
§ Improving Accessibility and Clarity of Emergency Alerts. The Commission will consider a Notice of Proposed Rulemaking and a Notice of Inquiry to improve clarity and accessibility of Emergency Alert System (EAS) visual messages to the public, including for persons who are deaf or hard of hearing, and others who are unable to access the audio message. (PS Docket No. 15-94)
§ Facilitating Satellite Broadband Competition. The Commission will consider an Order and Notice of Proposed Rulemaking that would propose revisions to the Commission’s rules for spectrum sharing among low-earth orbit satellite systems. The goal of the proposed revisions is to facilitate the deployment of the new generation of non-geostationary satellite orbit, fixed-satellite service (NGSO FSS) systems, including new competitors. (IB Docket No. 21-456; RM-11855)
§ Promoting Fair and Open Competitive Bidding in the E-Rate Program. The Commission will consider a Notice of Proposed Rulemaking that proposes to implement a central document repository (i.e, bidding portal) through which service providers would be required to submit their bids to the E-Rate Program Administrator and seeks comment on other changes to the E-Rate competitive bidding rules. (WC Docket 21-455)
o The United Kingdom’s (UK) Digital, Culture, Media and Sport Sub-committee on Online Harms and Disinformation Committee will hold a “Formal meeting (oral evidence session): Online safety and online harms” that “is likely to consider how aspects of the Australian legislation, such as the exemptions given to journalists, capacity to fine individual trolls, and prominence given to violence against women and girls, can inform the upcoming UK Online Safety Bill.” Australian e-Safety Commissioner Julie Inman Grant will testify.
§ 15 December
o The United States (U.S.) Senate Judiciary Committee’s Competition Policy, Antitrust, and Consumer Rights Subcommittee will hold a hearing “to examine the impact of consolidation and monopoly power on American innovation.”
o The Senate Homeland Security and Governmental Affairs Committee will hold a markup to consider among other bills the “Federal Secure Cloud Improvement and Jobs Act of 2021” (S.3099).
§ 16 December
o The Federal Trade Commission will hold an open meeting with this business before the agency:
§ Advance Notice of Proposed Rulemaking to Combat Government and Business Impersonation Fraud: Staff will provide a presentation and the Commission will vote on an Advance Notice of Proposed Rulemaking to address rampant government and business impersonation fraud. Government and business impersonation scams are a leading source of consumer complaints and the largest source of total reported consumer financial losses – and have gotten worse during the pandemic.
§ 17-28 January 2022
o The United Nations (UN) Ad hoc committee established by General Assembly resolution 74/247 will meet. The UN explained:
§ Through its resolution 74/247, the General Assembly decided to establish an open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, taking into full consideration existing international instruments and efforts at the national, regional and international levels on combating the use of information and communications technologies for criminal purposes, in particular the work and outcomes of the open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime.
§ 16-17 June 2022
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”