Monday 19 July 2021

Rewards for Information on Cyberattacks Paying Off Already?

On July 15, 2021, the U.S. State Department announced that up to $10 million rewards would be provided to informants with information concerning cyberattacks sponsored by or on behalf of foreign governments.  Details of the program can be found here and here.   Notably, today, the White House has announced that the United States and its allies have determined that the Chinese government has utilized contract criminal hackers in cybersecurity hacking involving zero day vulnerabilities in Microsoft’s Exchange Server.  The Biden Administration notes generally that:

[United States Department of Justice] imposing costs and announcing criminal charges against four MSS [PRC Ministry of State Security] hackers.

The US Department of Justice is announcing criminal charges against four MSS hackers addressing activities concerning a multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries. DOJ documents outline how MSS hackers pursued the theft of Ebola virus vaccine research and demonstrate that the PRC’s theft of intellectual property, trade secrets, and confidential business information extends to critical public health information. Much of the MSS activity alleged in the Department of Justice’s charges stands in stark contrast to the PRC’s bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage.

The Biden Administration notes that it “working around the clock” to address cybersecurity issues.  Here are some of the measures the Administration is taking:

  • The Administration has funded five cybersecurity modernization efforts across the Federal government to modernize network defenses to meet the threat. These include state-of-the-art endpoint security, improving logging practices, moving to a secure cloud environment, upgrading security operations centers, and deploying multi-factor authentication and encryption technologies.
  • The Administration is implementing President Biden’s Executive Order to improve the nation’s cybersecurity and protect Federal government networks. The E.O. contains aggressive but achievable implementation milestones, and to date we have met every milestone on time including:

      • The National Institute of Standards and Technology (NIST) convened a workshop with almost 1000 participants from industry, academia, and government to obtain input on best practices for building secure software.
      • NIST issued guidelines for the minimum standards that should be used by vendors to test the security of their software. This shows how we are leveraging federal procurement to improve the security of software not only used by the federal government but also used by companies, state and local governments, and individuals. 
      • The National Telecommunications and Information Administration (NTIA) published minimum elements for a Software Bill of Materials, as a first step to improve transparency of software used by the American public.  
      • The Cybersecurity and Infrastructure Security Agency (CISA) established a framework to govern how Federal civilian agencies can securely use cloud services.
  • We continue to work closely with the private sector to address cybersecurity vulnerabilities of critical infrastructure. The Administration announced an Industrial Control System Cybersecurity Initiative in April and launched the Electricity Subsector Action Plan as a pilot. Under this pilot, we have already seen over 145 of 255 priority electricity entities that service over 76 million American customers adopt ICS cybersecurity monitoring technologies to date, and that number keeps growing. The Electricity Subsector pilot will be followed by similar pilots for pipelines, water, and chemical.
  • The Transportation Security Administration (TSA) issued Security Directive 1 to require critical pipeline owners and operators to adhere to cybersecurity standards. Under this directive, those owners and operators are required to report confirmed and potential cybersecurity incidents to CISA and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week. The directive also requires critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days. In days to come, TSA will issue Security Directive 2 to further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.

By exposing the PRC’s malicious activity, we are continuing the Administration’s efforts to inform and empower system owners and operators to act. We call on private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.

No comments: