Tuesday, June 21, 2022

The problem with Roe digital security advice

Presented by App Security Project: Delivered every Monday by 10 a.m., Weekly Cybersecurity examines the latest news in cybersecurity policy and politics.
Jun 21, 2022 View in browser
 
POLITICO's Weekly Cybersecurity newsletter logo

By Sam Sabin

Presented by App Security Project

With help from Eric Geller

Quick Fix

— With a dwindling number of days left for the Supreme Court to issue a decision on Roe, privacy experts are increasingly warning that legislative and executive actions are the only surefire way to fend off digital surveillance threats.

— CISA will warn today about a set of more than two dozen security flaws affecting some of the top security vendors for critical infrastructure operators, according to the researchers who discovered the problem.

— A report out this morning underscores just how difficult tackling open source software's cybersecurity woes will be — just in time for a major open source software summit kicking off today.

HAPPY TUESDAY, and welcome back to Morning Cybersecurity! I'm your host, Sam Sabin, and consider this your friendly reminder to enjoy the longest day of the year today! Take a meeting outside, go for a walk. Whatever feels right.

Have any tips and secrets to share with MC? Or thoughts on what we should track down next? Send what you've got to ssabin@politico.com. Follow along at @POLITICOPro and @MorningCybersec. Full team contact info below. Let's get to it.

 

A message from App Security Project, an initiative of the Taxpayers Protection Alliance Foundation:

In a new letter to Senate leaders, former Trump National Security Advisor Robert O'Brien, former Trump Director of the National Economic Council Larry Kudlow and other senior administration officials express why the threat posed by authoritarian regimes like Russia and China cannot be underestimated. Congress must not weaken U.S. technology companies and Americans' cybersecurity. Read more about how current antitrust proposals would endanger American consumers HERE.

 
Surveillance

A TEAM EFFORT — As everyone awaits the forthcoming Supreme Court decision dictating the fate of Roe v. Wade , more privacy advocates are warning that the digital security tip sheets they've been circulating on social media for weeks won't be enough if the court overturns the case. And instead of waiting for the decision, advocates have been increasingly turning their attention to the people who have a much better shot at easing their digital surveillance concerns: lawmakers and Biden administration officials.

What's the problem? For weeks, digital surveillance experts and abortion rights groups have been circulating tip sheets ahead of the possible overturning of Roe v. Wade for how people can avoid digital surveillance when seeking abortions or connecting patients. The Digital Defense Fund, a group that helps providers with their cyber needs, created a graphic recommending people turn off location services on their phones and use private browsers, and the Electronic Frontier Foundation, an advocacy group that pushes against mass data collection, has a step-by-step guide for separating abortion-related work from someone's primary online accounts.

But given how expansive online data collection is, privacy experts have been arguing against putting too much emphasis on individual actions to prevent data collection. "Some folks have access to the ability to protect themselves," said Andrea Ritchie, a co-lead of criminal justice-focused advocacy group Interrupting Criminalization. "But other folks access the internet at public libraries, at schools, at other places because they don't have access to privacy-generating technologies or private spaces."

Advocates have already started making moves: A handful of privacy and abortion rights experts met with Vice President Kamala Harris last week to discuss these issues, and advocacy groups like the Surveillance Technology Oversight Project have been calling on states toalso pass laws limiting law enforcement access to online data.

So far, only progressive lawmakers are taking up the fight. Sen. Elizabeth Warren (D-Mass.) led a group of mostly Democratic lawmakers last week in introducing a bill to prevent data brokers from selling health and location data to third parties. And Rep. Sara Jacobs (D-Calif.) introduced the My Body My Data Act, which requires tech companies and app developers to only collect and retain health data about users that's "strictly needed" to provide services.

Some data brokers are also starting to self-regulate. At least one data broker, SafeGraph, promised to stop selling location data about people who visit Planned Parenthood locations after a Vice journalist discovered the practice.

But: Getting momentum for data privacy regulation in Washington is tough (just ask the federal lawmakers who have spent at least four years negotiating a federal comprehensive privacy bill). In the meantime, abortion rights advocates and healthcare providers are left with imperfect individual strategies as they prepare their systems for an influx of cyberattacks and digital threats in the coming weeks, as your host reported over the weekend.

 

A message from App Security Project, an initiative of the Taxpayers Protection Alliance Foundation:

Advertisement Image

 
Vulnerabilities

COVERING ALL THE BASES — Researchers at Forescout have discovered scores of security vulnerabilities affecting dozens of devices in critical infrastructure operators' systems that could give hackers the ability to steal login credentials or access certain products, according to a report released this morning . The sheer number of flaws — 56 new vulnerabilities across 10 operational tech vendors — and the risks associated with them is also prompting CISA to issue an advisory later today with recommended next steps.

What's going on : In the report, Forescout details dozens of vulnerabilities, which they've dubbed "Icefall," in tools popular with critical infrastructure operators. Affected products include distributed control systems that help process data to engineering workstations and remote terminal units that send data between hardware and control systems in pipelines, water systems and other pieces of critical infrastructure.

Hackers could also exploit the recently discovered security flaws to take a piece of the infrastructure's network offline or, in some cases, gain complete control of the affected product.

How bad is it: Forescout estimates that more than 35,000 individual devices will need to fix the vulnerabilities, with about a quarter of those in the manufacturing sector and 16 percent in the healthcare industry. Researchers described the flaws as "insecure by design" since the issues are tied to the basic design of the operational technology itself, and the bad news is that "insecure by design" flaws are the go-to for hackers looking to target critical infrastructure.

Affected vendors include Honeywell, Motorola, Siemens and others, and the exploitable flaws are found in a range of products, including building controllers and distributed control systems.

Critical infrastructure operators already struggle to completely patch their systems — some lack the staff to stay on top of security updates, others would need to shut off their services to even run the patch. So, addressing the new flaws Forescout reported today won't be an easy task: "Realistically, that process will take a very long time," researchers wrote in their report.

What now : Forescout recommends that operators using these devices do their best to isolate them from the rest of their network, monitor all network traffic closely and stay on top of released security patches.

OPENING UP ABOUT OPEN SOURCE — The average time it takes for an organization to fix a security flaw has more than doubled from 49 days in 2018 to 110 days last year, according to a report out this morning from the Linux Foundation and Snyk — underscoring just how difficult it will be for government officials and industry leaders to shore up open source software security after all.

Linux Foundation and Snyk are releasing the report in conjunction with the Open Source Security Foundation's four-day summit , which kicks off this afternoon. While the event's panel topics are more geared toward a technology industry-heavy audience, speakers from Google, IBM and other companies will focus on topics that have become top of mind for the Biden administration since last year's Log4j incident, in which a security flaw in a popular open source Java logging tool left hundreds of millions of devices vulnerable to hacking.

More report details : The report also found that less than half of the more than 550 surveyed organizations have a security plan in place for managing open source software. That number drops to fewer than 3 in 10 companies when looking at medium-to-large companies.

Reading between the lines: The report foreshadows the problems the Biden administration and the cybersecurity industry will face as these two groups work to secure open source code, which is ubiquitous in tech products. Many open source projects are run by volunteers who are too resource- and time-strapped to stay on top of the security updates needed to ensure their code remains safe from hacking.

 

JOIN NEXT TUESDAY FOR WOMEN RULE TALK ON THE ECONOMY: The U.S. economy is showing signs of slowing down after a period of robust growth last year. How would an economic slowdown affect women's economic security across socioeconomic, racial, and geographic lines? Join POLITICO's Women Rule for a conversation on what's ahead for the U.S. economy and how it will impact women's livelihoods and economic well-being. REGISTER HERE.

 
 

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You'll also receive daily policy news and other intelligence you need to act on the day's biggest stories.

Critical Infrastructure

WATER WE DOING ABOUT THIS — Securing the country's 50,000 community drinking water systems isn't easy, and it doesn't help that they're often sparsely regulated, cash-strapped and short on workers, as Eric reported for Pros over the weekend . But those working to shore up the water sectors' risky cyber posture told Eric there are still several ways policymakers and cybersecurity firms can help the sector get where it needs to be:

Congress could specify that the new water resilience funding in the bipartisan infrastructure law can be used to fund utilities' participation in their sector's information sharing and analysis center. Currently, many water utilities can't afford to join the WaterISAC, which shares best practices and intelligence bulletins from federal agencies and other industry groups. While lawmakers have done this before for the electric sector, they haven't done the same for water organizations: "We have similar needs in that area," said Dan Hartnett, chief advocacy officer for the Association of Metropolitan Water Agencies.

Cyber firms could also offer discounted pricing for certain services to water utilities. Grant Geyer, chief product officer at industrial control systems cyber firm Claroty, told Eric that his company has been "helping to provide discounting" to cash-strapped water systems. Jeff Zindel, vice president and general manager of Honeywell's cybersecurity business, said his team helps utilities identify fixes "where they can get great bang for their buck."

The public could embrace the idea that they're going to have to pay for water security. "We will, on one hand, say, 'Why are you raising my utility rates? What's going on here? You should be more efficient!' and then on the other hand, we'll turn around and say, 'Well, how come you aren't meeting these basic cybersecurity requirements?'" said Daniel Groves, head of the operational technology and cybersecurity group at water consulting firm West Yost. "Water is an absolutely vital asset. We're going to have to pay more for it."

 

DON'T MISS DIGITAL FUTURE DAILY - OUR TECHNOLOGY NEWSLETTER, RE-IMAGINED:  Technology is always evolving, and our new tech-obsessed newsletter is too! Digital Future Daily unlocks the most important stories determining the future of technology, from Washington to Silicon Valley and innovation power centers around the world. Readers get an in-depth look at how the next wave of tech will reshape civic and political life, including activism, fundraising, lobbying and legislating. Go inside the minds of the biggest tech players, policymakers and regulators to learn how their decisions affect our lives. Don't miss out, subscribe today.

 
 
People on the Move

— The Senate Armed Services Committee advanced Maj. Gen. Kevin Kennedy's nomination to lead the Air Force's information warfare branch. He is currently CYBERCOM's director of operations.

Tweet of the Day

A vibe check from CISA Director Jen Easterly as she shares the guitar she got for her birthday over the weekend: "Best birthday present EVER."

Quick Bytes

— A former Amazon engineer was convicted of hacking charges tied to the 2019 Capital One breach, in which more than 100 million customers' personal information was stolen. (The New York Times)

— Leaked audio from internal TikTok meetings suggests that the Chinese government is routinely tapping into U.S. app users' data. (BuzzFeed News)

— The Supreme Court refused to take up the case Jewel v. NSA, which focused on whether to allow public litigation over the National Security Agency's mass surveillance program.

Stay in touch with the whole team: Eric Geller ( egeller@politico.com); Konstantin Kakaes (kkakaes@politico.com); Maggie Miller (mmiller@politico.com); Sam Sabin (ssabin@politico.com); and Heidi Vogt (hvogt@politico.com).

 

A message from App Security Project, an initiative of the Taxpayers Protection Alliance Foundation:

Former senior Trump administration officials spell out for Senate leaders how the proposed antitrust measures in Congress would threaten America's national cybersecurity and global competitiveness – providing a gift to our adversaries. Government overreach in the form of misguided antitrust proposals would place American companies at a structural disadvantage and discard existing safeguards that protect consumers. As China continues to work towards achieving economic, military and technological global dominance, Congress must ensure Americans' devices and our country's cybersecurity are a top priority. These so-called competition bills would have dangerous consequences for the United States and our allies around the world.

Read the new letter from former National Security Advisor Robert O'Brien, former Director of the National Economic Council Larry Kudlow and other senior Trump administration officials HERE.

 
 

Follow us on Twitter

Heidi Vogt @HeidiVogt

Eric Geller @ericgeller

Maggie Miller @magmill95

Sam Sabin @samsabin923

Konstantin Kakaes @kkakaes

 

Follow us

Follow us on Facebook Follow us on Twitter Follow us on Instagram Listen on Apple Podcast
 

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings

This email was sent to edwardlorilla1986.paxforex@blogger.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to unsubscribe.

No comments:

Post a Comment

$1,300 into $45,000 in just 4 Months!

I have a challenge for you... ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ...