As COVID-19 rages across the United States, pandemic-related cybersecurity threats have increased while ongoing long-term cyber threats continue unabated. Phishing and ransomware plague us, cybercriminals attack our teleworkers, and nation states go after our vaccine-related research. Thankfully, we continue to improve cyber threat intelligence sharing between the public and private sectors while the Cyberspace Solarium Commission’s (CSC) recent recommendations may lead to legislation that helps the federal government better protect our nation’s critical infrastructure.
On June 4, Bryan Ware, the Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), provided attendees an update on CISA and the agency’s priorities for 2020. Some highlights from his presentation are included in this post that address current threats, cyber threat intelligence sharing, and the CSC’s critical infrastructure recommendations.
CISA has not only seen a recent increase in phishing activity but also a shift in the kind of phishing from scammers. Cybercriminals are taking advantage of the COVID-19 pandemic to fool people about various aspects of the crisis—from vaccines and antibodies to stimulus checks. Of course, scammers continue to improve their spoofing methods posing as legitimate organizations and using well-disguised email addresses.
In April, CISA published a joint advisory with the UK’s National Cyber Security Centre (NCSC) showing that cyber criminals and advanced persistent threat (APT) groups are targeting individuals and organizations with a range of ransomware and malware. In the advisory, they noted:
“The techniques used by attackers prey on people’s appetite for information and curiosity towards the outbreak, with phishing emails and SMS messages using the virus as a lure to trick people into revealing credentials or downloading malicious software. Phishing attempts often come from what appears to be a trustworthy sender, such as the ‘World Health Organization,’ or with a subject line such as ‘2019-nCov: Coronavirus outbreak in your city (Emergency).’”
Ware noted that one of CISA’s priorities is helping our nation respond to and get out of the COVID-19 crisis by protecting hospitals. CISA Director Christopher Krebs is concerned about nation state actors and cybercriminals using ransomware to attack hospitals and demand large ransoms during such a critical time of caring for infected patients. Threat actors could potentially have a large-scale impact on our healthcare system using ransomware and CISA is working with the FBI on several efforts to meet this ransomware threat. Currently, we’ve seen no significant ransomware impact on our nation’s COVID-19 response.
CISA is concerned about nation state espionage targeting COVID-related vaccines, antivirals, and other medications. Pharmaceutical research is considered part of a critical infrastructure industry and it’s facing real attacks and exploits driven by nation states, especially China, Russia, Iran, and North Korea. We must be on guard, as we will not see a full return to normal until a vaccine is globally distributed. CISA has been scanning IP devices and engaging in incident response for pharmaceutical companies targeted by adversaries. These kinds of attacks especially match China’s playbook of stealing and transferring intellectual property to copy, replicate, and bring it to scale.
Through an economic downtown, we are fortunate that a great deal of work can carry on through teleworking. However, unsecured workstations, wireless routers, and networking equipment in people’s homes becomes another point of attack for cybercriminals. We’ve essentially moved many of our corporate networks into our homes but risks exist with old equipment, kids on the network using unsecured apps and games, and IoT devices on the network ranging from Nest to refrigerators. To help, CISA has pushed out products related to teleworking such as its TIC 3.0 Interim Telework Guidance document.
CISA recently published a report titled “Top 10 Routinely Exploited Vulnerabilities” where it detailed how the vast majority of exploited vulnerabilities have existed for years. Nation states are still mining old Microsoft vulnerabilities, and unpatched VPN vulnerabilities remain a special concern—especially now because VPNs are so crucial for teleworking.
Some questions from attendees touched on a few interesting areas that Ware addressed.
What concerns do you see about SaaS services versus VPNs?
Ware pointed out that a company can fix its VPN and know it, but there’s more uncertainty about managed service providers fixing their VPNs. This extends to the bigger issue of understanding your supply chain, paying close attention to third party security practices, and auditing your security practices. CISA's Supply Chain Risk Management (SCRM) Essentials offers good practices for CISOs and their teams.
What are your thoughts about the CSC’s recommendations on critical infrastructure?
CISA had a front-row seat when it came to the CSC’s development of its recommendations. Overall, Ware felt the CSC did a good job explaining the threat. The US really needs a national cyber defense operations entity, and CISA’s current prominence among agencies is not as asserted as it should be. CSC Executive Director Mark Montgomery said CISA should be first among equals with entities such as the NSA, FBI, and DoD when it comes to protecting critical infrastructure.
CISA focuses on critical infrastructure not only by sector but also by national critical functions, with a construct of security risk management built around these functions. Its relationship with private industry (which owns 85% of critical infrastructure) is still arms’ length and CISA does more pushing (emails, spreadsheets, etc.) versus pulling (asking for information). The CSC envisions a model where this relationship is tighter—with information shared more effectively and collaboration heightened. This is important because quite a few companies have critical assets and resources essential to the US that adversaries are interested in disrupting. Should those companies be solely responsible for protecting themselves? No. CISA needs to help these companies better defend themselves and impose costs on adversaries through CISA’s cybersecurity monitoring and defense capabilities.
What about the balance between international researchers sharing information openly versus concerns about national security? Will too strict of a cybersecurity approach hurt our chances of developing a vaccine faster?
Nothing should stop the US from developing a vaccine and getting it distributed. True, scientific innovation comes through collaboration and we cannot assert that the US has all the best ideas. It’s a challenging balance between collaboration for humanity and science versus security considerations and the aspirations of adversaries.
However, it’s clear from China’s published priorities concerning AI, 5G, agricultural science, and pharma that they use their intelligence agencies to collect, steal, and transfer IP to China. We can’t think, “No harm as long as a vaccine gets to the market!” If the United States develops the vaccine, then we can ensure it’s distributed around the world. By contrast, we have seen instances where China has traded PPE for additional concessions from foreign governments. It’s not unreasonable to think they will use a vaccine as currency and leverage, and we cannot accept that outcome.
CISA works to protect and defend US pharmaceutical companies and federal agencies such as the National Institutes of Health (NIH), especially where adversaries target pharmaceutical research centers. These cyberattacks are happening right now, and CISA shares what it sees with others and uses every instrument of available power to defend our COVID-19 research.
Any updates with bi-directional cyber threat intelligence sharing between the public and private sectors?
DHS has struggled with many bureaucratic hurdles related to Automated Indicator Sharing (AIS). They developed standards, Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII), which got turned over to an international standards body. For years, that body has not updated that standard, upon which DHS’s technologies and tools have been built. Currently, hundreds of companies use AIS, including many that don’t realize they’re consuming AIS indicators from other threat intelligence providers using AIS’s feed. AIS remains limited, though, because CISA hasn’t enabled as much bi-directional contextual cyber threat intelligence sharing as they would like.
Some good news—CISA updated the STIX/TAXII standards this year and will have new versions of AIS before the end of this year that will allow for some significant new capabilities. In the meantime, CISA is still actively signing up companies for AIS and working with other cyber threat intelligence providers. Ware reminded attendees that CISA is not a regulator. CISA only shares information with a regulator if a company or institution gives consent. CISA offers a variety of different agreements to fit the needs of various companies and institutions. Through those agreements, CISA works with organizations on vulnerabilities and sharing information, with that information protected from the FOIA and regulators. Cyber threat intelligence sharing is most effective when a company has a relationship with both a sector-specific agency (such as the Department of Energy or Department of Health and Human Services) and CISA.
Ware recognizes that CISA needs to adopt as much existing commercial practices and technology as possible, as the government should not be in the business of building technology. Addressing lags in some intelligence sharing versus commercial entities, Ware pointed out that cyber threat intelligence must go through different levels of classification while respecting the users and consumers of that information by limiting its visibility for various reasons (such as company proprietary information or legal authorities of the US government prohibiting certain information about US persons). A joint collaborative public-private partnership environment isn’t about lifting and shifting a commercial tool, although CISA will use as much commercial technology as possible (such as hypercloud services).
CISA recently analyzed various classified, commercial, and open source threat indicators to figure out who saw the most and who saw them soonest (commercial or federal government). It found that commercial entities see a lot more threat indicators than government, faster and more frequently, but the federal government provided a number of unique indicators significantly earlier. This smaller volume results from activities conducted by the NSA and other entities’ inside foreign networks and other places where US companies are not deployed. As CISA moves forward with AIS, adopts commercial industry solutions, and strengthens partnerships with threat intelligence providers, they are trying to strike a balance between areas where CISA has unique visibility versus industry’s greater volume of visibility—ultimately crafting a solution that addresses both. Right now, we’re not there, but Ware hopes we get there soon—quickly and smartly.
The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, underwriter, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.