Federal panel says agencies need to focus on harmonizing cyber regulations
Below: The Defense Department says it secured a previously exposed server that leaked sensitive military emails, and gaming giant Activision falls victim to a phishing scheme. First:
An advisory committee recommended the creation of an office to deconflict cyber rules
The Biden administration needs to take numerous steps to deconflict and organize the proliferation of cybersecurity regulations, according to a report that a presidential advisory committee approved Tuesday.
That includes things like creating an office within the Cybersecurity and Infrastructure Security Agency to harmonize cybersecurity rules across the federal government, or directing a trio of federal agencies to coordinate with foreign governments to develop consensus cybersecurity standards.
The recommendations arrive as the U.S. cyber scene awaits publication of the Biden administration’s national cybersecurity strategy, the White House pushes for mandates on numerous industries, and CISA writes a rule to require critical infrastructure owners and operators to report major cyber incidents to the agency.
The advisory panel, named the National Security Telecommunications Advisory Committee (NSTAC), voted Tuesday to send the report to Biden for his consideration.
The committee draws its membership from the business community, with a heavy emphasis on cybersecurity companies. Many industry groups have indicated opposition to the Biden administration pushing a more muscular federal role for cyber mandates.
But an official with the Office of the National Cyber Director, which led the writing of the national cybersecurity strategy, saw overlap between that strategy and the NSTAC report.
“The recommendations regarding regulatory harmonization align very well with the strategic goals of the strategy,” said Rob Knake, the acting principal deputy at the cyber director’s office.
One such recommendation is for CISA to establish an Office of Cybersecurity Regulatory Harmonization. There are already some federal initiatives with a similar mission, such as the Cyber Incident Reporting Council, and the Cybersecurity Forum for Independent and Executive Branch Regulators. But the new office would have the job of building expertise on cybersecurity regulation and assisting other federal agencies during the cybersecurity rulemaking process.
The report recommended housing the office in CISA for a few reasons, as incoming NSTAC chair Scott Charney, vice president for security policy at Microsoft, explained:
- “The primary advantage of housing this effort in CISA is that most other departments, such as Treasury or [Health and Human Services], are primarily concerned” with the industries they regulate, Charney said. “By contrast, CISA’s focus on protecting critical infrastructures gives it a broader, cross-vertical perspective.”
- “The proposed office would act in an advisory capacity to other regulators,” Charney said, “which is consistent with CISA’s existing interactions with regulators.”
- Furthermore, he said, CISA’s parent agency, the Department of Homeland Security, is home to the aforementioned Cyber Incident Reporting Council. That council was formed as part of legislation Congress passed last year that directed CISA to write a rule requiring critical infrastructure owners and operators to report major cyberattacks within 72 hours.
Agencies writing cyber rules would have to report how their regulations align with the new office’s guidelines.
Separate from the recommendations about the new office and how agencies would interact with it, the report calls on agencies to review their rules at least every five years and update them as needed.
And “the Department of State and Department of Commerce, in coordination with the Department of Homeland Security, shall develop and execute a strategy to encourage more foreign government participation in the development and adoption of specific consensus standards,” the report states.
Recommendations that aren’t about harmonization
The report isn’t only about harmonizing regulations.
Among its other recommendations:
- CISA and the General Services Administration should “draft core, universally applicable procurement language that clearly defines the government’s requirements and preferences” on secure software and services.
- CISA should expand and enhance a federal program focused on scanning and monitoring services to help federal agencies better protect their networks.
- CISA and the National Institute of Standards and Technology should form a partnership “focusing on transition to post quantum cryptography” — in other words, making computers safe against quantum computers that could break current encryption.
Private U.S. military emails were exposed online
The Defense Department on Monday afternoon said it secured a server that was left online without a password for two weeks, exposing internal military emails to anyone on the internet, TechCrunch’s Zack Whittaker reports.
The server, which was left without a password due to a misconfiguration, was hosted on Microsoft’s Azure government cloud for Defense Department customers. That platform is typically used to share sensitive but unclassified government data, but in this case it stored about three terabytes of internal military emails, including those related to the U.S. Special Operations Command.
Anurag Sen, a security researcher who discovered the breach, said the exposed server contained military emails dating back years, with at least one file in particular including a completed SF-86 questionnaire full of highly sensitive personal and health information.
The server is now inaccessible. U.S. Special Operations Command spokesperson Ken McGraw said in an email to TechCrunch on Tuesday that an investigation into the leak began Monday and is still underway.
“We can confirm at this point is no one hacked U.S. Special Operations Command’s information systems,” McGraw said. It’s not clear if anyone besides Sen found the server during the two weeks that it was exposed.
Supreme Court knocks down Wikipedia operator’s bid to challenge NSA oversight
The Supreme Court on Tuesday denied a request from the operator of Wikipedia to reopen a lawsuit against the National Security Agency challenging broad internet surveillance, Reuters’s Andrew Chung reports.
In 2015, the Wikimedia Foundation, represented by the American Civil Liberties Union, sought to confront the legality of NSA’s “upstream” program used to surveil foreign targets through the collection and searching of internet traffic on data transmission lines flowing into and out of the United States. The lawsuit alleges that the practice violates Americans’ right to privacy and freedom of speech.
The NSA has defended the surveillance by pointing to the Foreign Intelligence Surveillance Act of 2008. Its existence was leaked in 2013 by former NSA contractor Edward Snowden, who later fled to Russia.
Tuesday’s decision upholds a lower court’s previous dismissal of the lawsuit because of the state secrets privilege, or a legal doctrine that can shut down litigation if disclosure of certain information, like details about the surveillance, would damage national security.
Hacker gains access to Activision Slack, steals Call of Duty info
A hacker was able to breach a Slack channel of the game publishing giant Activision after convincing an employee to give them a two-factor authentication token, Motherboard’s Joseph Cox reports.
After the breach, the bad actor posted offensive messages from the targeted staff account and apparently stole information related to upcoming Call of Duty release dates, according to screenshots posted online by the cybersecurity collective vx-underground.
.@Activision was breached December 4th, 2022. The Threat Actors successfully phished a privileged user on the network. They exfiltrated sensitive work place documents as well as scheduled to be released content dating to November 17th, 2023.
Activision did not tell anyone. pic.twitter.com/urD64iIlC5
— vx-underground (@vxunderground) February 20, 2023
Activision told Motherboard in a statement: “The security of our data is paramount, and we have comprehensive information security protocols in place to ensure its confidentiality. On Dec. 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it.”
“Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed,” the statement added. Activision did not respond when asked specifically by Motherboard about the data that the hacker seemingly did access, such as the Call of Duty scheduling.
The attack comes as the gaming sector is increasingly facing cyberthreats, with the industry seeing a 167 percent increase in web application attacks in 2021, and last year becoming the most targeted industry for distributed denial of service (DDoS) attacks. Last month, hackers broke into Riot Games, another gaming giant. In 2021, hackers breached Electronic Arts and CD Projekt.
- The Atlantic Council holds a discussion with the authors of two new reports on Russian narratives to justify the war in Ukraine today at 9 a.m.
- The R Street Institute holds a webinar on the state of cybersecurity careers for Black professionals on Thursday at noon.
- Former U.S. national security adviser John Bolton will join The Washington Post for a conversation about the war in Ukraine and rising tensions with China on Friday at 11 a.m.
Thanks for reading. See you tomorrow.
