with Aaron Schaffer

Cybersecurity defenses will take top priority in the spending of  $1 billion in tech modernization funding passed by Congress earlier this year, according to plans shared first with The Cybersecurity 202.

The Office of Management and Budget and General Services Administration will also prioritize projects addressing critical IT modernization, public-facing services and cross-agency programs.

We plan to use these resources to enable the federal government to better respond to SolarWinds, the covid-19 crisis and support the economic recovery,” said federal Chief Information Officer Clare Martorana.

The announcement of the funding plans comes ahead of an executive order expected this week that would introduce new security standards for software used by government agencies.

Modernizing federal cybersecurity defenses has been a top priority of the Biden administration in the aftermath of two significant hacking campaigns. For months, Russian hackers went undetected in the systems of at least nine federal agencies until a private cybersecurity firm in December notified the government of vulnerabilities it found in a popular software called SolarWinds. The Government Accountability Office has named federal cybersecurity as one of most urgent risk areas for the government to address.

Congress provided the $1 billion in funds as part of the economic stimulus signed into law in March. It's a huge windfall for the fund, appropriations for which have hovered in just the tens of millions in recent years. The Biden administration has requested $500 million for the fund this year in addition to the stimulus boost.

The new plan also overhauls the “technology modernization fund's” (TMF) repayment structure. The new structure will not require recipients whose projects address an immediate security need such as cybersecurity or the coronavirus pandemic to repay the funds in full. Repayment plans for other projects will be considered on a case-by-case basis.

The fund's current requirement that agencies must pay back grants within five years has drawn scrutiny for deterring projects that might serve critical needs but fail to provide a huge cost-saving impact. Democrats on the House Oversight Committee last month urged OMB, GSA and the TMF board to relax the repayment plan. Industry groups have also called for changes to the repayment process.

Officials hope the new flexibility will allow government agencies to act more swiftly.  

“The updated TMF model provides the clarity and flexibility necessary to encourage federal agencies to prioritize technology modernization while transforming the relationship between the federal government and the public we serve,  said GSA acting administrator Katy Kale. "It is more aggressiveto meet the urgent technology needs of the federal government today, as well as more ambitiousto anticipate the demands of tomorrow."

Proposals are due by June 2 and funds will be allocated on a rolling basis.

The keys

A coalition of cybersecurity companies working on the Olympics warn hacks-for-ransom could pose a major threat.

Organizations providing support to the Olympics should be closely tracking the spike in activity and immediately seek to patch and mitigate any vulnerabilities that could be used by hackers, according to a new analysis from the Cyber Threat Alliance.

If you're a ransomware operator and looking for a juicy target, Olympics services are a quick payday, says Neil Jenkins, chief analytic officer at the Cyber Threat Alliance.

While Japan has taken a number of steps to shore up its cybersecurity ahead of the games, the pandemic has created chaos hackers could seize upon. The nation is currently undertaking emergency measures to deal with a spike in coronavirus cases. Hackers could take the domestic turmoil as a sign that Japan is distracted from cybersecurity and would make an easy target.

The pandemic has also created new attack targets. For instance, hackers may look to disrupt smartphone apps the Japanese government has created to track vaccination status and contact tracing.

“If a malicious virus gets into that system and disrupts it with ransomware or inserts false data or gets in there you would really impact that way the Japanese government's ability to keep things safe,” said Jenkins.

The report also cautions that Russia could once again seek to hack international teams and anti-doping organizations in retaliation for a ban on its athletes.

Sixty percent of education apps used by schools were sending data to third-party advertising platforms, researchers found.

Third parties used by the apps included advertising platforms from Google, Facebook and Twitter, according to the report from privacy nonprofit Me2B Alliance. Some of the third-party software identified by the report link to hundreds of other partners.

The review, which is based on a random sample of 73 apps used across 14 states, highlights the massive amounts of student's personal data being shared with third-parties without student or parent's explicit awareness. Companies largely fail to make clear which third-parties they share data with and listing those companies is not a requirement of app stores.

The report notes that public schools sampled were more likely to use apps sharing data with third-parties than private schools.

While the use of third-party software, or software development kits, in apps is pervasive, their inclusion in educational apps raises alarm. There's little accountability to make sure the apps are not collecting data on users under 13, which violates federal laws, says Lisa LeVasseur, executive director of Me2B Alliance. 

There's been a push lately for companies to remove tracking, including SDKS from apps used by children. Earlier this month several app developers for children were ordered to remove or disable tracking by a district court in California.

A Customs and Border Control contract shows how cars track their drivers.

The agency paid Swedish firm MSAB $456,073 for hardware including five “vehicle forensics kits” made by Berla, the Intercept’s Sam Biddle reports. The contract went from June to February.

MSAB materials claim that the personal data it can get includes “recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been.”

“The scale at which CBP can leverage a contract like this one is staggering,” Mohammad Tajsar, an attorney with the American Civil Liberties Union of Southern California, said. MSAB spokesperson Carolen Ytander declined to comment on privacy concerns and said the company “does not set customer policy or governance on usage.” CBP was unable to provide a comment by the time of publication.

Cyber insecurity

You may want to change your Star Wars-themed password today.

Cybersecurity firm Specops Software analyzed 800 million breached passwords and found “yoda” nearly 37,000 times. The Jedi Master was followed by “starwars” and “ewok,” which appeared 22,000 times and 17,000 times. Unfortunately, “the Force can’t save you from breached passwords,” Darren James, a product specialist at the company, said in a statement.

Mentions

  • Michael Ellis, a former Republican operative who then-President Donald Trump named as the National Security Agency’s general counsel before he resigned after being sidelined, has joined the Heritage Foundation’s Meese Center for Legal and Judicial Studies as a visiting fellow, Politico’s Martin Matishak reports.

Chat room

Apple rolled out an iOS software update after discovering two vulnerabilities that “may have been actively exploited,” according to reports. Corellium Chief Operating Officer Matt Tait reflected on how Apple releases updates for in-the-wild exploits:

Journalist Ryan Naraine found this statistic:

Daybook

  • Rep. Yvette D. Clarke (D-N.Y.), the chair of the House Homeland Security Committee’s cyber panel, and other lawmakers speak at Hack The Capitol 4.0 today.
  • Cybersecurity officials speak at a Department of Commerce and Department of Homeland Security symposium on space cybersecurity on Wednesday.
  • Krebs speaks at an event hosted by the U.S. Agency for Global Media and Aspen Digital on disinformation on Wednesday at 9 a.m.
  • Secretary of Homeland Security Alejandro Mayorkas discusses ransomware at a U.S. Chamber of Commerce event on Wednesday at 1:30 p.m.
  • The House Homeland Security Committee’s cyber subcommittee holds a hearing on ransomware on Wednesday at 2:30 p.m.
  • The Intelligence and National Security Alliance holds an event on zero trust implementation on Thursday at 2:30 p.m.
  • Rep. Mike Gallagher (R-Wis.) speaks at a Heritage Foundation event on defense supply chains on May 10 at 1 p.m. 
  • Erin M. Joe, the director of the Cyber Threat Intelligence Integration Center, speaks at the CyberSatDigital conference at 9:20 a.m. on May 11.

Secure log off