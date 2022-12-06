Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! You tell me: What were the best songs to come out in 2022? Below: The Secret Service says Chinese hackers stole covid-19 relief benefits, and Iranian hackers are accused of targeting activists, journalists and others. First:

BODs: Hot or not? How a DHS initiative to improve federal cybersecurity is working out The Department of Homeland Security has authority to issue "binding operational directives" – known in the cybersecurity world as BODs – to try to pressure federal agencies to bolster their cyber defenses.

Federal agencies usually try to comply with these directives. But these BODs aren’t actually binding, and some government watchdogs have found a lack of full compliance.

DHS has been using these directives for seven years, telling agencies to take steps like ordering the removal of anti-virus products made by Russia-headquartered Kaspersky and responding to the biggest software vulnerabilities in the news headlines.

Sometimes these BODs work but other times they don’t. Paradoxically, perhaps, both were in evidence when DHS’s Cybersecurity and Information Security Agency announced last month that an unnamed federal agency had suffered a breach at the hands of Iranian hackers — who penetrated its networks via a vulnerability that CISA had ordered them to fix.

The Cybersecurity 202 reported that the agency was the U.S. Merit Systems Protection Board.

The hackers exploited a vulnerability in the ubiquitous software tool log4j, one that potentially affected hundreds of millions of devices worldwide.

CISA had issued one of the orders — a so-called “binding operational directive” — last year to shore up log4j vulnerabilities.

It gave agencies deadlines in December, but according to CISA’s alert, the hackers accessed the agency as early as February of this year — well after agencies should have completed the directive’s work.

“We saw agencies, and really across the community, taking extraordinary action in quickly identifying and mitigating vulnerable devices or products running the relevant versions of log4j,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, told me. “As our director and others have noted, the prevalence of devices running vulnerable versions of log4j is extensive. So it’s going to be a long-term effort to get the number of vulnerable devices down to, or even near, zero.”

The beginning to now

Congress gave DHS the authority to issue BODs in 2014. In 2015, Congress gave DHS another kind of authority to issue “emergency directives.” The department has grown increasingly willing to issue these directives.

From 2015 to 2018, the department issued or updated seven of them, collectively.

From 2019 to now, the department issued or updated 14 of them.

Even though agencies don’t fully comply with BODs, that doesn’t mean DHS is powerless, Goldstein said.

“Because they are binding, we are able to work closely with agencies at an operational level,” he said. “Agencies understand that these are required actions, but also if agencies are not able to complete required actions in the allotted time frame, we are able to rapidly escalate to agency senior leadership and work closely with our partners at OMB [the Office of Management and Budget] to ensure that the importance of these steps are reflected at the leadership.”

Additionally: “It has never been the case, at least in my two years in this role, that an agency has not accepted the validity or binding nature of these directives,” Goldstein said.

When DHS has seen agencies struggling to complete a directive, it’s been because of money, personnel or technical limitations, Goldstein said. Also, some directives are by their very nature not meant to be completed all at once. For example, one directive is a running, updated list of known, exploited vulnerabilities that agencies need to remediate.

Gary Barlet, a former chief information officer at the Postal Service’s inspector general office who calls himself a “believer” in the directives’ effectiveness, told me that failing to complete a directive can “make for a very uncomfortable conversation between you and your boss, and potentially between the agency and Congress.”

Other complicating factors, according to Barlet, now federal field chief technology officer for cybersecurity company Illumio, include: how technical the directive is, the size of the agency, how quickly DHS wants agencies to complete them, and the frequency with which DHS issues them.

One of the major factors in whether DHS decides to issue a directive is how much of a burden the department is putting on the bureaucracy, Goldstein said. It means the department is giving agencies something to prioritize, so it doesn’t issue directives without first checking with OMB, as well as federal chief information officers and chief information security officers.

BODs, can’t you see what everybody wants from you?

While the DHS cyber directives only apply to federal agencies, one side benefit of them is that they’re often looked to as a guide for industry, too.

“It’s a spotlighting of issues that the government says it’s going to spend money and time on, and so therefore it sends a strong signal to the private sector that those things are worth thinking about, too,” Eric Wenger, senior director for technology policy and global government affairs at Cisco, told me.

Overall, despite some of the challenges and limitations of the directives, Barlet said they’re a net benefit.

“Nobody likes Big Brother. Nobody likes someone telling them what to do,” he said. “But, for a lot of agencies, it’s that necessary kick in the pants that agencies need, to be honest with you.”

Chinese hackers stole millions in covid-19 relief benefits, Secret Service says

The U.S. Secret Service’s acknowledgment that a China-backed hacking group called APT41 stole at least $20 million in relief benefits marks the first time that the U.S. government has said that hackers backed by a foreign country stole covid-19 relief funds in the wake of the pandemic, NBC News’s Sarah Fitzpatrick and Kit Ramgopal report. It’s not clear if the Chinese government told the hackers to steal the money, however.

“The covid fraud scheme that the Secret Service has publicly linked to APT41 began in mid-2020 and spanned 2,000 accounts associated with more than 40,000 financial transactions,” Fitzpatrick and Ramgopal write. They’re especially sophisticated in their “ability to work heavily and quickly,” Secret Service national pandemic fraud recovery coordinator Roy Dotson told NBC News. The Secret Service has been able to recover around half of the stolen money, it said.

The Justice Department and FBI declined to comment to NBC News, and the Department of Homeland Security didn’t respond to its requests for comment. China’s U.S. Embassy also didn’t respond to the outlet’s requests for comment.

Human Rights Watch says Iran-backed hackers targeted staffers, journalists and activists

Hackers from an Iranian government-backed group known as APT42 posed as a Lebanese think-tank employee on WhatsApp from September to November, Human Rights Watch said. They tried to get the targets to click on phony links that prompted the targets to enter their usernames and passwords.

In all, at least 20 people were targeted by the hackers. “The email and other sensitive data of at least three of them had been compromised: a correspondent for a major U.S. newspaper, a women’s rights defender based in the Gulf region, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon,” Human Rights Watch wrote. The U.S. government and cybersecurity researchers regularly accuse Iranian hackers of hacks, but Iran often denies conducting them.

Chinese authorities cooperating with U.S. government checks

China’s Ministry of Commerce has helped some Chinese firms go through U.S. government checks to make sure American technologies aren’t being used by China’s military, Bloomberg News’s Jenny Leonard and Debby Wu report. Spokespeople for the commerce ministry and U.S. Department of Commerce didn’t respond to Bloomberg News’s requests for comment.

“Chinese firms on the Unverified List have 60 days from Oct. 7 to show their products won’t go to a military end-use or risk being pushed onto the U.S. Entity List, which prohibits trade with U.S. businesses or those utilizing US-sourced technology without a license from Washington,” they write.

