The Kitchen Sync

Cozy Bear is on a rampage

What’s new: A recently discovered supply-chain cyber operation gave Russia access to as many as 18,000 key US government and industry computer networks.

Why this matters: Moscow may still be in many of these networks and it’s going to be difficult and expensive to remove them.

Key points:

• Last week, the FireEye cybersecurity firm announced several of its marquee “red hat tools” were stolen by a sophisticated hacking group — likely a group known as “Cozy Bear,” who works for Russia’s SVR intelligence service.

• This week, we found out that a company named SolarWinds was also compromised and that its servers were used by Cozy Bear as a launching pad into some of the company’s customers’ networks.

• SolarWinds provides software and server management services to 300,000 clients, including all five military branches, the Department of Homeland Security, ten of the top US telecommunications companies, and five of the top US financial companies. 

• A new company filing with the SEC says Moscow may have compromised as many as 18,000 customers for as long as six to nine months. 

What we’re thinking: 

• As the President’s former Homeland Security Advisor, Tom Bossert, has said, “The magnitude of this national security breach is hard to overstate.”

• You have to assume the worst: A sophisticated attacker like Russia can do a lot of damage in six to nine months. They likely gained significant access in their priority targets and meaningful access elsewhere.

• No really, you HAVE to assume the worst: Again, from Tom Bossert, “The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated … The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior.”

• This is going to take a lot of time, money, and effort to fix: Because the Russians have had time to dig in and to cover thier tracks, we’ll have to isolate and replace a massive number of computers, servers, and other hardware across thousands of government and corporate networks. As a point of reference: it took the federal government more than one year to remove Kaspersky anti-virus software from its systems after the company was deemed a risk.

• Say it with us: Nations. Networks. Supply-Chains: Our status quo posture on national cybersecurity is simply unsustainable. Multiple government reports going back decades have drawn this conclusion. If the US wants to secure its people and its interests, we must accept and adapt to the reality that, in the modern context, defending nations means defending networks, and defending networks means defending supply-chains.

First FED IoT law passed

What’s new: The Internet of Things (IoT) Cybersecurity Improvement Act of 2020 is now law.

Why this matters: The new law is the first US federal law addressing IoT security.

Key points:

• The act limits federal acquisition of IoT devices to those that meet a minimum cybersecurity standard and also establishes a notification program for reporting vulnerabilities.

• The bill took more than three years to craft but passed through the US House and Senate without opposition.

• According to the GAO, 56 of 90 government agencies say they use IoT, but others have avoided these devices over security concerns.

• The passage of the act now kicks off a process where the National Institute of Standards and Technology (NIST) will need to publish minimum IoT security requirements within 90 days and then review those guidelines at least every five years.

What we’re thinking: IoT security is a big challenge and, frankly, we’re a little late to the game. Nevertheless, setting standards for government aquisition and use of these devices is necessary and welcome.

FTC asking tech companies about data

What’s new: The Federal Trade Commission issued orders to nine streaming and social media companies, asking them to provide information on how they handle certain types of data, according to Gizmodo.

Why this matters: Data requests like these, called 6(b) orders, are often used to inform future investigations and enforcement efforts.

Key points:

• 6(b) orders went out to Amazon, Discord, Facebook, Reddit, Snap, Twitter, WhatsApp, YouTube, and Bytedance (parent company of TikTok).

• There doesn’t seem to be a specific enforcement action behind the data calls; instead, they appear to be part of a broad effort to examine how these companies handle user data and privacy.

• The companies have 45 days to respond.

The FTC specifically wants to know …

• How companies collect, use, track, estimate, or derive demographic and personal data;

• How ads and other content are targeted to users;

• If and how personal information is leveraged for or by algorithms or data analytics;

• How user “engagement” is measured and promoted; and, 

• How these and other practices affect children and teens.

What we’re thinking: These are big questions and 45 days isn’t a lot of time. Look for this process to stretch out. Also, these companies could be forgiven for feeling uneasy about the guy in the black hood handing out rope.

Europe wants another shot at tech

What’s new: The UK and EU have released draft legislation to “halt the spread of harmful content and improve competition” online, according to the New York times.

Why this matters: European governments increasingly see tech companies as critical infrastructure and appear more inclined to saddle them with regulatory burdens like those found in banking, telecommunications, and healthcare industries.

Key points:

• The British government is proposing an outright ban on some content — like child abuse, terrorist propaganda, and self-harm videos — with enforcement of the ban including billions in possible fines.

• The EU also rolled out a proposal that would require companies like Amazon, Apple, Facebook, Google, and Microsoft to provide more information on services like targeted advertising as well as to more aggressively limit “hate speech” online.

What we’re thinking: Europe tends to regulate first and ask questions later. This posture is one of the main reasons the UK and EU have a relatively small technology industrial base and are ill-positioned for domestic innovation. Even so, don’t be surprised if a Biden administraton takes a look at these proposals and uses them as a model for actions in the US.

Key AI provisions in NDAA at risk

What’s new: President Trump continues to threaten a veto of the 2021 National Defense Authorization Act (NDAA), imperiling several significant AI provisions in the bill.

Why this matters: The AI portions of the 2021 NDAA are among the most aggressive measures the US government has considered, and a failure to pass these measures will significantly constrain the nation’s ability to prepare for and to leverage this decisive technology.

You can read a summary of the NDAA’s AI provisions here.