Welcome to The Cybersecurity 202! I give my strongest recommendation to Michelle Zauner's "Crying in H Mart." I listened to it as an audiobook read by the author.
CISA is working on an ingredients list for tech systems
Government officials are looking for ways to make future bugs like log4j less threatening, as organizations continue to scramble to protect themselves from the fallout.
One big idea being pushed by government cyber officials is a Software Bill of Materials (SBOM) – an ingredients list for tech systems that organizations can consult when a new bug is discovered to see if they have vulnerable software needing to be patched.
The concept has been around for a long time. But it’s getting extra juice amid the log4j fallout as government officials and industry executives grapple with the huge number of highly dangerous bugs that may be lurking deep inside software that’s spread throughout the tech ecosystem.
SBOMs wouldn’t have prevented log4j, but they could have made the cleanup far faster. They’re particularly well-tailored to solve one of the biggest problems log4j highlighted — that some bugs affect pieces of open-source software that are not only incredibly common but also frequently buried so deep in companies’ digital systems that their IT and cyber staff don’t even know they’re there.
“Log4j helped folks realize if we had SBOMs today, this would be more manageable,” Allan Friedman, a senior adviser to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) who’s working on the effort, told me. “It helped folks understand that this is something that has real, tangible value in terms of dollars and cents.”
The government isn’t designing SBOMs itself, but it’s trying to make it easier for vital industries to use them.
Heading off attacks
SBOMs are one of four key areas CISA is working on to prevent the next log4j, Eric Goldstein, CISA’s executive assistant director for cybersecurity told reporters this month.
He called SBOMs “invaluable to help an organization ideally automatically understand if they are exposed to a given vulnerability and then quickly pivot to remediation, driving down that time that an adversary has to exploit a vulnerability.”
Other efforts include:
- Demanding stronger design for software used by the federal government
- Building automated tools to scan software for bugs
- Helping tech companies get better at responding when there are bugs in their products
There’s been some movement toward SBOMs in critical industry sectors, but there’s still a long way to go.
- A collection of electric utilities is piloting the use of SBOMs in the electric sector.
- The Food and Drug Administration has also raised the idea of requiring SBOMs from medical technology firms when they seek approval for new devices.
- But for most industries, the idea is still in its early phases and leaders aren’t sure all the technical heavy lifting will make financial sense.
CISA’s goal is basically to make adopting SBOMs as easy as possible to change industry’s calculus. The agency hosted an event with key industries to hash out some of the big problems in December, which they dubbed an SBOM-A-RAMA.
Big goals include: Developing standard formats so SBOMs look the same within or across industries and tools so software suppliers can automatically share the ingredients lists with their customers.
“What we’re trying to do is not to say that there is a single way to do it, but to try to minimize the number of degrees of freedom so that implementation has as low a cost as possible,” Friedman told me.
They’re also trying to overcome some of the big barriers.
For example, private tech companies are often hesitant to share the details of all their software publicly so they need a private way to share it with customers. Some smaller tech firms likely won’t devote the resources to using SBOMs unless their customers demand it.
“When a new vulnerability is discovered, responsible manufacturers have to say, ‘Am I affected?’ ” Friedman said. “And an SBOM can shorten that by many orders of magnitude in terms of hours and cost.”
Tighter cyber rules for government agencies could come today
The new rules expected from the White House would tighten requirements for federal employees to use extra security measures when logging into devices and networks beyond passwords, CNN’s Sean Lyngaas reports.
They would also implement a system called “zero trust,” which means not automatically trusting users are who they say they are but requiring verification at each step. Agencies would also be required to have a complete inventory of all tech devices running on their networks, Sean reports.
The new rules were spawned from a cybersecurity executive order President Biden issued in May after the Solar Winds attack compromised large amounts of federal data across numerous agencies.
Researchers named three new victims targeted with NSO’s Pegasus spyware
Lamah Fakih, Human Rights Watch's crisis and conflict director and the head of its Beirut office, was targeted by Pegasus, according to the group. Fakih, a U.S.-Lebanon dual-citizen, said she doesn’t know why she was targeted or by which of NSO Group’s government clients, but she spent much of last year studying a 2020 explosion in Beirut that killed more than 200 people and caused billions of dollars in damage, Craig Timberg reports.
Meanwhile in Poland, researchers identified two new victims of the spyware, the Associated Press’s Vanessa Gera reports:
- Farmer and agrarian movement leader Michal Kolodziejczak was targeted ahead of elections where support for his movement threatened to cut into backing for Poland’s ruling party
- Tomasz Szwejgiert, who says he worked with Poland’s secret services and wrote a book about its leader, Mariusz Kaminski, was also targeted
Polish state security spokesman Stanislaw Zaryn told the AP that the country conducts surveillance in limited cases and is bound by Polish law. The leader of Poland’s ruling party has admitted that the country purchased Pegasus, but denied that it was used to target opposition figures in a high-stakes election campaign.
NSO "has been the subject of a growing number of news reports about financial, corporate and legal struggles,” Craig writes. “The departure of the company’s chairman, Asher Levy, became public on Tuesday. A newly appointed chief executive announced his resignation in November after just two weeks on the job.” NSO told news outlets that Levy’s departure had been previously planned, and that reports of financial and other troubles are unfounded.
Federal prosecutors are reviewing fake election documents that said Trump won states he actually lost
Deputy Attorney General Lisa Monaco acknowledged the Justice Department is probing the phony certificates after weeks of requests by lawmakers and state officials for a federal investigation, CNN’s Evan Perez and Tierney Sneed report. The move comes days after my colleagues reported that the effort by Republican electors in Arizona, Georgia, Michigan, Nevada and Wisconsin was assisted by Trump campaign officials and attorney Rudolph W. Giuliani.
“A Justice Department spokesman declined to comment Tuesday on when prosecutors began looking into the matter, whom they were targeting or even if they were conducting a full-fledged investigation, rather than just assessing referrals from state attorneys general,” my colleague Matt Zapotosky writes.
The House committee investigating the Jan. 6 insurrection is also focusing on how the rival slates were put together, people familiar with the panel’s work told my colleagues.
A Michigan woman found out she won $3 million in the lottery after checking her spam folder
The unusual incident is giving security pros heartburn.
Emails in your spam folder that promise big paydays are almost certain to be hoaxes or con jobs aimed at stealing your information or spreading malware, email security experts say. Laura Spears’s $3 million payday “seems to be a classic example of the exception that proves the rule — in this case, don’t believe emails that sound too good to be true,” Venable managing director Jeremy A. Grant told Annabelle Timsit.
Spam emails about lottery wins are especially prevalent. “Lottery fraud is common in the United States: Of the more than 600,000 complaints of fraud the Federal Trade Commission received in the third quarter of 2021, scams that used prizes, sweepstakes and lotteries as bait were the third most common, generating a total loss of $56.3 million for the consumers who fell for them,” Annabelle writes.
Bob Kolasky is leaving CISA
Kolasky, a longtime Department of Homeland Security official, leads CISA’s National Risk Management Center. CISA Director Jen Easterly said in a statement that Kolasky “played an integral role in building the agency and continually advancing our mission.”
Current and former CISA officials were quick to praise Kolasky.
More from Easterly:
It’s been a real pleasure working with @BobKolasky—a true risk management visionary. He built the NRMC from scratch to be one of the crown jewels of @CISAgov, helping drive down systemic risk to the nation. We’ll miss him but wish him great luck in his next adventure! Well done! https://t.co/DeMaPvYgBv— Jen Easterly (@CISAJen) January 25, 2022
Matt Masterson, CISA’s top elections official for the 2020 contest:
.@BobKolasky stepped up after 2016 to begin to work with election officials on securing systems. He took A LOT of arrows on behalf of @CISAgov to begin to build trust. He was critical to the progress made 2018 forward. Thank you Bob for your support & leadership. https://t.co/DG56w2a4O7— Matthew Masterson (@mastersonmv) January 25, 2022
Former CISA director Chris Krebs:
Bob will be missed, a key part of the @cisagov leadership team over the years. Always willing to take on hard problems, including this little thing we called the National Risk Management Center. Thx for your service @BobKolasky good luck in your next gig. https://t.co/B3sktAcF3T— Chris Krebs (@C_C_Krebs) January 25, 2022
A telecom industry association is launching a new supply chain security standard
The Telecommunications Industry Association’s new standard is designed to verify the security of hardware, services and software across telecommunications network infrastructure. Its release comes as critical industries have been struggling to figure out how to secure supply chains against hacking and questionable software.
Securing the ballot
SEC Chairman Gary Gensler pointed to a scheme to get early telegraph information to profit off securities trading in 1834 France.
Bryan Vorndran, assistant director of the FBI’s cyber division pointed to a computer worm developed at the Massachusetts Institute of technology in 1988.
Who's right? University of Sydney PhD candidate Ravi Nayyar said it depends:
… system but it could be argued that it is not such because it does not organise or manipulate the data transmitted through it.— Ravi Nayyar (@ravirockks) January 25, 2022
The Blanc attack was used to facilitate insider trading like Russian and Ukrainian hacks of EDGAR, but the latter is quite clearly a computer system.
But a story that begins in Bordeaux sounds more enjoyable to investigate than one that begins in Boston, Recorded Future's Allan Liska notes:
The SEC is correct. The important reason why comes from this write-up by @schneierblog. As long as the first cyber attack occurred in Bordeaux we can organize a "fact finding" visit to the city to further investigate. If the FBI is correct, we have to go to Massachusetts. https://t.co/ZCFW6caF70 pic.twitter.com/9tZiH6MFC1— Allan “Ransomware Sommelier🍷” Liska (@uuallan) January 25, 2022
- FTC Commissioner Noah Phillips discusses data privacy at an event hosted by the National Cybersecurity Alliance and LinkedIn today.
- The German Marshall Fund hosts an event on cyber and other forms of resilience in Ukraine today at 10 a.m.
- CISA Executive Assistant Director David Mussington speaks at a Purdue University event today at 4:30 p.m.
- Sens. Ron Wyden (D-Ore.) and Marsha Blackburn (R-Tenn.) speak at an R Street Institute event about a future federal privacy law on Thursday at 2:30 p.m.
- CISA senior adviser Kris Rose and other cybersecurity experts speak at Out In Tech's Out in Cybersecurity event on Thursday at 5:30 p.m.
- FBI Director Christopher A. Wray speaks at the Reagan Library on Monday.
- The Brookings Institution hosts an event on ethical use of artificial intelligence on Monday at 11 a.m.
Secure log off
Thanks for reading. See you tomorrow.