| | | | By Eric Geller and Martin Matishak | Editor's Note: Weekly Cybersecurity is a weekly version of POLITICO Pro's daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day's biggest stories. Act on the news with POLITICO Pro. | | — Several federal agencies have been breached by state-sponsored spies in what is amounting to a massive online campaign against Washington. — The annual defense policy bill is on track to be vetoed by President Donald Trump, who gave a new, confusing rationale about why he won't sign the bipartisan measure. — The Pentagon's most advanced weapons will fail in the field unless the department builds them with cyber resilience in mind, a report warns HAPPY MONDAY and welcome to Morning Cybersecurity! Send your thoughts, feedback and especially tips to mmatishak@politico.com, and be sure to follow @POLITICOPro and @MorningCybersec . Full team info below. | | BIG SCOOPS IN TRANSITION PLAYBOOK: In the runup to Inauguration Day, president-elect Joe Biden's staffing decisions are sending clear-cut signals about his priorities. What do these signals foretell? Transition Playbook is the definitive guide to one of the most consequential transfers of power in American history. Written for political insiders, this scoop-filled newsletter is breaking big news and analyzing the appointments, people and emerging power centers of the new administration. Track the transition and the first 100 days of the incoming administration. Subscribe today. | | | CONCERN "VERY HIGH" ABOUT AGENCY HACKS — In what could be the most serious breach of federal government networks in years, nation-state hackers broke into multiple federal agencies — including the Treasury Department and the National Telecommunications and Information Administration— in a campaign that appears linked to the recently disclosed hack of security firm FireEye. The intrusions, first reported by Reuters, involved a sophisticated compromise of federal workers' Microsoft email accounts, a U.S. official, who requested anonymity to discuss an ongoing incident, told Eric. "It's not entirely certain what vulnerability they're using, how they got in," the official said, "but it continues to be a problem." The Office of the Director of National Intelligence and U.S. Cyber Command are involved in the investigation, said the official, who described their engagement as indicative of "a nation-state confrontation." The breaches prompted an emergency National Security Council meeting on Saturday that included National Security Adviser Robert O'Brien and Federal Chief Information Security Officer Camilo Sandoval, the official said. Investigators believe that the intrusions were the work of Russia's foreign intelligence service, the SVR, which has also been linked to the FireEye breach, according to The Washington Post. The government suspects the FireEye and agency hacks are connected — although there is some doubt about this — and is now worried that "the same techniques … could have been leveraged against other agencies" because "everybody uses Microsoft products," the U.S. official said. Investigators believe that the hackers have been monitoring agency employees' emails since June, according to the official, who described the level of concern inside the government as "very high." The attack began with the IT vendor Solar Winds, according to The Post. In a statement, Solar Winds CEO Kevin Thompson said that "a highly-sophisticated, targeted and manual supply chain attack by a nation state" had compromised the software updates that it sent to users of its Orion IT monitoring platform between March and June. Solar Winds' government customers include the Justice Department; the Census Bureau; several national laboratories; and state, local, and foreign customers such as the European Parliament and Britain's National Health Service. Late Sunday evening, FireEye confirmed that the recent cyberattacks all stemmed from a compromised Orion software update. The company said that the attacks, which each required "meticulous planning and manual interaction," had affected "public and private organizations," and that it was notifying the victims it could identify. It also published a detailed writeup with more technical information. CISA has "been working closely with our agency partners regarding recently discovered activity on government networks" and is "providing technical assistance to affected entities," the agency said. NSC spokesman John Ullyot said the Trump administration was "taking all necessary steps to identify and remedy any possible issues related to this situation." An NTIA spokesman referred questions to Commerce, which confirmed that "there has been a breach in one of our bureaus" and said it had requested CISA and FBI help. The FBI said it was "appropriately engaged" on the matter but declined to comment further. Treasury did not respond to a request for comment. | | NDAA UPDATE — President Donald Trump on Sunday provided a new reason for threatening to veto the annual defense bill, H.R. 6395, which would establish a national cyber director, saying China stood to benefit from the bipartisan measure. "The biggest winner of our new defense bill is China! I will veto!" Trump tweeted, without explaining further. The president has previously vowed to sink the measure — which is chock full of cybersecurity provisions — over language that would rename military bases named after Confederate leaders and because it didn't include text to strip social media companies of some of their legal protections. Both the House and Senate last week passed the measure by margins large enough to override a potential veto.
| | HAPPENING TUESDAY - CONFRONTING INEQUALITY IN AMERICA TOWN HALL : The pandemic-induced recession has put over 40 million Americans at risk of foreclosure and eviction and caused a steady decline in Black homeownership. What solutions need to happen to make housing more inclusive and fair? Join POLITICO for its fourth town hall in the series "Confronting Inequality in America." Our latest town hall explores "The Housing Gap" and will convene policymakers, lawmakers, advocates and mortgage industry leaders to discuss various approaches for eliminating housing inequality as we begin to recover from the Covid-19 recession. REGISTER HERE. | | |
| | CAN'T AFFORD A JAMMED WEAPON — The Pentagon and its defense contractors must overcome "antiquated acquisition policies, misapplied bureaucratic oversight, and siloed knowledge" to stay ahead of cyber threats, the Atlantic Council said in a report published today . The military must also "develop a healthy relationship with failure," including the capacity for risk-taking, the group concluded in its report on "mission resilience" for combat systems that depend heavily on software. The report warns that increasingly computerized weapons systems, such as the F-35 joint strike fighter, can fail if the military doesn't design and maintain them with resilience in mind. The IT systems intended to support the F-35 "have barely gotten off the ground," the Atlantic Council said, and the military "has demonstrated an inability to manage complexity and develop robust and reliable mission systems even in a relatively benign environment." To address such problems, the report makes 12 recommendations including acquisition reform, a Defense Innovation Board study of mission resilience, the introduction of "chaos engineering" to shake up system testing and a new approach to defending Pentagon networks that reduces the emphasis on perimeter defense. | | BE ON THE LOOKOUT — Critical infrastructure companies should pay close attention to the DoppelPaymer ransomware before they become the next victim of its extortion spree, the FBI warned on Friday. "Since late August 2019, unidentified actors have used DoppelPaymer ransomware to encrypt data from victims within critical industries worldwide such as healthcare, emergency services, and education, interrupting citizens' access to services," the bureau said in a private industry alert obtained by POLITICO. What makes DoppelPaymer special, the FBI said, is that its operators are some of the few extortionists to call their victims to demand payment, rather than simply sending them threatening messages. "In one case an actor, using a spoofed US-based telephone number while claiming to be located in North Korea, threatened to leak or sell data from an identified business if the business did not pay the ransom," the alert said. That was followed by threats to "send an individual to the home of an employee and provided the employee's home address. The actor also called several of the employee's relatives." The FBI advisory lists several recent examples of the DoppelPaymer spree, including a disruptive attack on an unidentified county's E911 center and several intrusions into community colleges. Media reports have linked DoppelPaymer to ransomware infections in Torrance, Calif., and Hall County, Ga. The group was also behind a September attack on a German hospital that contributed — albeit not decisively — to the death of a patient. | | THE HURT LOCKER — Blackberry researchers on Friday said they are tracking a ransomware strain that allows digital criminals to pilfer sensitive data and extort victims. The company's Incident Response Team first spotted the variant, dubbed "Mountlocker," in July. However its code was updated last month to better avoid detection by targeting fewer files on a victim's network. Researchers noted that only five victims are named on MountLocker's "News & Leaks" site hosted on the darknet but there are likely more out there. "The MountLocker operators are clearly just warming up," according to the company's report. "After a slow start in July, they are rapidly gaining ground, as the high-profile nature of extortion and data leaks drive ransom demands ever higher." The ransomware's operators have demanded bitcoin in exchange for the stolen data. | | BRRRR! — As Covid-19 vaccines begin to ship across the country, CISA has issued fresh guidance on the digital dangers to cold storage. "Cyber threat actors have shown an interest in targeting IT assets that support the vaccine cold chain and cold storage facilities," according to the agency. Therefore, it recommends that the owners and operators of cold storage sites "prepare for attacks targeting the cold chain, remain vigilant to alerts and activity in this space, have contingency plans in place, and know who to contact for help." Specifically, CISA suggested operators consider disabling remote connectivity if they're not using it and avoid using default passwords. The agency also recommended employing additional, less exposed thermometers and informing their dry ice suppliers of potential backup vaccine keepers. | | Phil Venables, a senior adviser for risk and cybersecurity Goldman Sachs, is set to become Google Cloud's first chief information security officer. TWEET OF THE DAY — Pro tip! | | — Presented without comment. — Israeli surveillance companies are scooping up data from Smartphone apps. — The Atlantic: Trump Is Looking for Fraud in All the Wrong Places. — The European Union Agency for Cybersecurity examined information security spending for network and information services. — Cyberscoop: Facebook claims it disrupted cyber-espionage in Vietnam, Bangladesh. — AP computer science principles are attracting more female, Black and Latino students. That's all for today. Stay in touch with the whole team: Eric Geller (egeller@politico.com, @ericgeller); Bob King (bking@politico.com, @bkingdc); Martin Matishak (mmatishak@politico.com, @martinmatishak); and Heidi Vogt (hvogt@politico.com, @heidivogt).
| | Follow us on Twitter | | Follow us | | | |
No comments:
Post a Comment