By signing up, you acknowledge and agree to our Privacy Policy and Terms of Service. You may unsubscribe at any time by following the directions at the bottom of the email or by contacting us here. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Cyber risks loom over Covid-prompted corporate IT shifts

With help from Martin Matishak

Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories.Act on the news with POLITICO Pro.

Quick Fix

— A security vendor tells MC how the government can help businesses confront technology transformations accelerated by the pandemic, which are the subject of the vendor’s new report.

— Federal advisory boards will meet this week to examine security issues surrounding supply chains, open-source software and the internet of things, including relevant Biden administration policy work.

— A week of SolarWinds hearings sharpened the picture of just how difficult it will be for the government to piece together the full story of the historic series of breaches.

HAPPY MONDAY and welcome to Morning Cybersecurity! Why aren’t we talking more about time crystals? Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

IT Modernization

COMING SOON TO AN IT DEPARTMENT NEAR YOU — The coronavirus pandemic has accelerated a shift to remote work at many businesses, but how permanent will that shift be, what technological changes will companies need to make, and how will these changes affect their cybersecurity postures? A report out today from the endpoint security vendor Tanium reveals the current status of these changes, and a Tanium executive told MC how the federal government can help companies manage the digital transformations that many of them now face. The report’s findings, drawn from a survey of 500 IT decision-makers, are significant not just for the security professionals who may be able to act on them but also for all workers whose lives will be transformed by the technology that their employers use.

The government can help lay the foundation for success in these transformations, Chris Hallenbeck, Tanium’s chief information security officer for the Americas, told MC. “Government agencies can and should continue to develop and share best practices, based on their intelligence and experience, particularly when it comes to newer areas such as zero trust and artificial intelligence,” Hallenbeck said. These technologies “will be pivotal in fostering a successful transition to remote work,” he said, but “the barriers to entry are too high” for some firms.

Tanium’s report lays out various security challenges for businesses. Employees working remotely may engage in riskier behaviors or may simply fail to protect their personal devices the way their employers protect their work devices. When Tanium asked companies about their employees’ highest-risk behaviors since the pandemic began, 41 percent cited their handling of sensitive data, 38 percent mentioned employees clicking on phishing links and 35 percent mentioned their use of “shadow IT,” meaning programs and services that their IT departments didn’t manage.

Seventy-three percent of IT professionals surveyed said that the pandemic had created new cybersecurity challenges. Remote work, in which more devices sit outside an employer’s firewall and other on-premises security features, has forced companies to consider new security measures, such as user privileges configured to the lowest possible level to mitigate the risks of account takeovers. As a result of the pandemic, 66 percent of companies reported speeding up their plans to migrate resources to the cloud.

Cloud migration offers both promise and peril. And as technology changes, with more company resources moving to other firms’ cloud environments, regulations should change too, Hallenbeck said. “We need to see clearer security standards, mandates that require organizations to notify parties about breaches and vulnerabilities in a timely manner, and firm systems of accountability,” he said.

DOMINATING THIS WEEK’S CALENDAR — Two federal advisory committees will meet this week to discuss many of the most important cyber policy issues facing the Biden administration, and the presentations delivered to these government boards will offer a peek into the state of the research and policymaking efforts that Biden has inherited and that his appointees will help shape.

The main action is at the Information Security and Privacy Advisory Board, managed by the National Institute of Standards and Technology. During its meeting on Wednesday and Thursday, it will receive a “forensic brief” from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on the dominant cyber problem of the day: the SolarWinds campaign. Other sessions will include presentations about the state of open-source software security and the Pentagon’s contractor cybersecurity program.

The advisory board will also hear about NIST and Congress’s efforts to improve the cybersecurity of internet of things devices, whose security risks have multiplied as the devices themselves have proliferated. And board members will receive a briefing about agencies’ work to improve the resilience of position, navigation and timing resources such as GPS (more on that below).

Supply chain security — a broad issue of which SolarWinds is currently the most visible example — will also be the focus of Thursday’s meeting of the National Infrastructure Advisory Council. During the meeting, NIAC members will listen to a panel discussion about supply chain risks. They will also receive an update on a study of cyber workforce development strategies and participate in a roundtable discussion about future work.

SolarWinds

SOLAR SPOTLIGHT ON BIGGER PROBLEMS — As the world digests last week’s SolarWinds hearings, several details — particularly from Friday’s joint House Oversight and Homeland Security hearing — stand out for how starkly they illustrate the challenges that federal investigators face as they pore over incident logs and develop plans to prevent repeat incidents.

The suspected Russian hackers only accessed approximately 77 people’s email accounts during the roughly 60 intrusions that Microsoft observed, Brad Smith, the company’s president, said during the House hearing. The figure “certainly sounds like it’s in the right range,” Smith said after Rep. Jim Langevin (D-R.I.) recounted Microsoft employees sharing it with his staff during a recent briefing.

As incomplete as it is — Microsoft did not observe every attack — the number highlights just how targeted and careful the hackers were. The infected SolarWinds software update that opened the doors into many victims’ systems went to roughly 18,000 organizations, and SolarWinds wasn’t even the only attack vector. With President Joe Biden’s administration estimating that the hackers targeted roughly 100 companies and nine agencies, their restraint in inspecting only 77 people’s emails suggests that they had specific goals — underscoring how important it will be for investigators to figure out just what those goals were.

Meanwhile, SolarWinds itself might have fallen prey to a supply chain attack. During Friday’s hearing, SolarWinds CEO Sudhakar Ramakrishna, who joined the company in January, identified the three possible attack vectors that his employees were examining as they tried to figure out how SolarWinds was breached. One of them was the most ominous: Ramakrishna said that SolarWinds could have been hacked because of a vulnerability in third-party software that it used.

Ramakrishna declined to identify the software or the vulnerability; it is unclear if SolarWinds has even confirmed that such a vulnerability exists. But the possibility highlights the interdependencies between modern businesses and the spider web of risk that emanates from each one. It also underscores the urgency of improving the security of the software development process.

DO NOT MAKE THAT U-TURN — DHS is trying to help companies that rely on GPS data avoid seeing their operations disrupted or compromised by faulty or tampered information. The department on Friday released two resources to address vulnerabilities in position, navigation and timing, or PNT, services that are likely to become more tempting targets as more countries develop digital warfare capabilities and more aspects of modern life become dependent on PNT data.

The first resource, a PNT Integrity Library, contains source code for software that can help organizations “verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.” The code is designed to be incorporated into products that receive PNT data and can raise alarms if its algorithms detect signs of tampering. The second resource, a collection of “Epsilon” algorithms, can allow PNT integrity-checking software to detect issues without complicated modifications to the receiver equipment.

Report Watch

— Russia, Brazil, and the U.S. were the countries most infected by stalkerware last year, according to Kaspersky. The U.S. surpassed India, rising from fourth place in the company’s global rankings in 2019 to third in 2020. Germany was the No. 1 European country, coming in sixth in the global rankings, while Iran, Italy, the United Kingdom and Saudi Arabia rounded out the top ten. The company’s “The State of Stalkerware 2020” report found there were 53,870 mobile users within its client base who were affected by stalkerware in 2020. That’s less than the number impacted in 2019 but much more than the 2018 figure. Since Kaspersky only examined its users, the total number of stalkerware victims is likely much higher.

DEPT. OF CORRECTIONS — Friday’s edition of Morning Cybersecurity incorrectly reported a change in the lineup to that day’s joint House Oversight and Homeland Security hearing on the SolarWinds hack. George Kurtz, president and CEO of CrowdStirke, did not testify.

TWEET OF THE DAY — Enjoy some good-natured jokes and some earnest praise.

Quick Bytes

— Cyberattacks are slamming the health care sector, with Universal Health Services reporting that a September ransomware attack cost it $67 million. (Wall Street Journal)

— Recorded Future spotted Chinese hackers lacing India’s power grid with malware amid border clashes.

— CrowdStrike examined a pair of ransomware groups that “have not attracted much attention.”

— The Biden administration will move forward with a Trump-era regulation blocking the purchase of technology from companies linked to foreign adversaries. (Wall Street Journal)

— PwC’s annual cyber threat report contains sobering statistics, especially about ransomware.

— A iPhone security testing company bought a firm owned by a leading ARM microchip tester. (Forbes)

— Biden nominated a top military cyber adviser to the rank of rear admiral.

— Microsoft and other tech giants are using SolarWinds to argue for and against increased cloud migration. (Wall Street Journal)

That’s all for today.

Stay in touch with the whole team: Eric Geller ([email protected],@ericgeller); Bob King ([email protected],@bkingdc); Martin Matishak ([email protected], @martinmatishak); and Heidi Vogt ([email protected],@heidivogt).

Follow us on Twitter

Heidi Vogt @HeidiVogt
Maggie Miller @magmill95
John Sakellariadis @johnnysaks130
Joseph Gedeon @JGedeon1

Eric Geller is a cybersecurity reporter at POLITICO, where he covers the federal government’s cyber defense activities.

His beat ranges from Cybersecurity and Infrastructure Security Agency’s network protection programs and the Commerce Department’s research and standards development work to the FBI’s hack investigations and the State Department’s digital diplomacy strategies. He also writes about the White House’s oversight of these activities and the ways in which the federal government partners with state and local governments and the private sector, from election security to supply chain risk management.

Eric began his journalism career in October 2014 at the Daily Dot, where he covered technology policy and served as an editor during the morning shift. His reporting there increasingly focused on cybersecurity, from the Office of Personnel Management hack to the high-profile encryption battle between Apple and the Justice Department after the San Bernardino, Calif., terrorist attack. At the height of the encryption debate, he interviewed then-FBI Director James Comey about the bureau’s position on the issue.

Eric’s first day at POLITICO was June 14, 2016, when news broke of a suspected Russian government hack of the Democratic National Committee. Since then, he has spearheaded POLITICO’s election security coverage and reported on a range of major incidents, including the SolarWinds cyber espionage campaign and the Colonial Pipeline ransomware attack.

Eric grew up just outside of Washington, D.C., and graduated from Kenyon College in Gambier, Ohio, in 2014 with a degree in political science. When he isn’t writing about cybersecurity, he’s either reading the latest Star Wars novel or tweeting bad puns.

Cyber risks loom over Covid-prompted corporate IT shifts

Quick Fix

IT Modernization

SolarWinds

Report Watch

Quick Bytes

Follow us on Twitter

Follow Us

Monday, 5/6/24

Monday, 4/29/24

Monday, 4/22/24

Monday, 4/15/24

Monday, 4/8/24

Judge Cannon indefinitely postpones Trump’s classified docs trial

Unexpected warning signs for Trump in busy Indiana primary

Stormy spoke. Trump fumed. Jurors were captivated — but also cringed.

Being Held in Contempt Might Not Be Trump’s Biggest Problem

Kristi Noem snaps at Fox Business host over dog questions: ‘This interview is ridiculous’