DoD CMMC Update

To say that DoD’s plans to enhance the cybersecurity practices of the defense industrial base have not gone exactly as planned would be polite.

White House Executive Order 13556, creating controlled unclassified, was issued in 2010. 12 years later, DoD is still wrestling with the issue.

DFARS 252.204-7012, which mandated NIST 800-171 compliance, became effective in 2017.

CMMC version 1 was issued in late 2020 as an interim final DFARS. It never really went into effect.

CMMC version 2 was released in November 2021. It tried to simplify CMMC 1.0 and did, to an extent. But within months, they realized that a key part of it (splitting CUI compliance into two parts – one which could be self-certified and one that required third party certification) – was unworkable.

So where is it now?

CMMC 2.0 is now in the “rulemaking process” under Title 32. This process is required for all federal regulations and is really complicated. After that, it has to go through the Title 48 process which governs the Federal Acquisition Regulations process.

Stacy Bostjanick, who has been trying to shepherd CMMC since the beginning is hoping the changes that come out of the rulemaking process are minor changes to what was released a few months ago. No guarantees.

She says that she is hoping that they will be allowed, one more time, to create another “interim final rule”. Hoping.

They are trying to reduce the number of companies that will require expensive third party certifications from maybe 300,000 to 100,000, but right now there are only a dozen companies who have been approved to certify contractors. You do the math.

On top of that, DoD’s contracting officers have not been well trained at understanding and documenting what is CUI. And communicating that to contractors. You can’t communicate what you don’t understand.

Many folks believe that what will come out of this rulemaking process, which is based on NIST SP 800-171 version 2, will likely look a lot like what went in. I think this is probably right.

This means that small businesses will need to make a costly decision about whether they stay in the defense business. Many will leave. In the last six years, the number of small businesses in the defense sector has shrunk by nearly a quarter.

Unfortunately, DoD is boxed in. The problem is real and there is no simple fix. Ignoring security is not a plan. Neither is asking contractors to pinky-swear that they are doing what they should be doing.

The rules are expected to emerge from the rulemaking process in May. May 2023 that is. 13 months from now. They anticipate submitting the proposed rules in July of this year.

The Pentagon is talking to international partners. The UK has a “similar” program called the Cyber Essentials program. The Pentagon wants to compare the two programs. The Pentagon would like everyone to roll over to their desires, but that is unlikely to happen. This means that there will be differences, country to country. Contractors that do business in multiple countries will have even more paperwork – and cost – to deal with.

DoD is trying to incentivize contractors to get certified now. In part this is because, if everyone waits, the size of the queue will be that much longer. That means that if people wait for the rule to come out and get documented, then it will be longer before any number of people get certified. That means the DoD would have to choose between dropping the contract requirement or picking a less qualified, more expensive vendor who is certified. What a mess. DoD’s hands are somewhat tied in this process. They cannot offer contractors money to get certified, but they can say that vendors who are certified will rank higher in the review process than ones that are not certified. They can also say, MAYBE, that if you get certified now your certification will last longer, say, instead of three years from now vs. three years from once the standard is actually approved.

One thing that did come out in CMMC 2.0 is the concept of “waivers”. In CMMC 1.0 if you failed any controls, you failed the test. In CMMC 2.0 they are talking about waivers. Limited time, limited function, only for certain controls, maybe. They have admitted that given they do not want to shoot themselves in the head, they are going to be forced to issue waivers. They have said that each waiver will need to be individually approved by the service needing the product, which makes sense. Since some executive is going to put his or her name on a piece of paper, that by itself will limit waivers. The CURRENT plan is that waivers can’t be for more than 180 days. If there are a lot of waiver requests (there will be), that by itself will be a paperwork nightmare – both approving and tracking them. Also, since the waivers will be technical in nature, the service executive approving them will need someone to explain to him or her what the hell they are approving. A mess, in other words.

The Pentagon has created an internal deadline to submit the proposed rule to the OMB on May 4. That is step 1 in the process. Generally, they have been good at meeting those deadlines. Just barely.

They are hoping to kind of amend the -7019 and -7020 clauses instead of starting over and that is probably reasonable. But reasonable and government don’t necessarily match. It is possible that DoD will feel they need to close on a deal for the Part 32 rule before submitting the part 48 rule. That could drag things out.

We continue to tell clients to focus on 800-171 because that is VERY LIKELY to remain the core of whatever comes out of the sausage grinder. That is also what they agreed, in writing, to comply with since 2017. That means that contractors who are not 800-171 are technically in breach of contract.

One more rub in the ointment. Since 800-171 R2 came out, 800-53 revved from R4 to R5. There is an effort within NIST right now to create 800-171 R3 based on NIST SP 800-53 R5 medium. DoD has already said that they are working with NIST to incorporate some of the stuff that they “lost” when they went to CMMC 2.0. That means the goalposts are likely to move before the final rule is in place.

Credit: SCMagazine, Inside Cybersecurity, YouTube, Inside Cybersecurity, Inside Cybersecurity

Dark Patterns and the Law

First – what are dark patterns?

Here is a definition from Wired:

The term “dark patterns” was first coined by UX specialist Harry Brignull to describe the ways in which software can subtly trick users into doing things they didn’t mean to do, or discouraging behavior that’s bad for the company. When you want to unsubscribe from a mailing list, but the “Unsubscribe” button is tiny, low-contrast, and buried in paragraphs of text at the bottom of an email, it’s a strong sign the company is putting up subtle roadblocks between you and cancellation.

https://www.wired.com/story/how-to-spot-avoid-dark-patterns/

The objective of using a dark pattern to get you to do something you really don’t mean to do or stop you from doing something the company does not want you to do.

That is why we are seeing more attention from legislatures and regulators.

California’s new privacy law says that it can’t be any more difficult to close an account than to open an account.

The EU’s new Digital Markets Act is proposing to regulate dark patterns.

But not everyone is listening.

Now even the CFPB is going after them.

The Consumer Finance Protection Bureau filed a lawsuit against TransUnion, two of its subsidiaries and a former TransUnion executive.

The CFPB says that they are violating a 2017 consent order and that TransUnion was engaging in deceptive marketing of credit related products.

In this case, the CFPB wants to make a point of making officers and directors feel the pain from the decisions of their companies by including them in the lawsuit.

In October 2018 the CFPB went checking on TransUnion’s compliance with the previous year’s consent order. That consent order required TransUnion to get the consumer’s express informed consent before enrolling them in a product with a “negative option” feature. In this case, that means enrolling the consumer in a free trial and then forcing them to do something to cancel the subscription at the end of the trial. It also required them to simplify the cancellation process (the so called dark pattern – make it hard to cancel).

In 2019, 2020 and 2021 the CFPB told TransUnion that they were violating the consent order, hence the lawsuit.

In the lawsuit, the CFPB says:

In its complaint, the CFPB alleges that the corporate defendants violated the consent order in various ways, including by (1) giving consumers the misleading impression that their payment information was requested for purposes other than payment, (2) offering negative option enrollments without using a checkbox to affirmatively enroll in such products as required by the consent order, and (3) failing to provide an appropriate method for consumers to cancel their enrollment.  Following its pattern of using heated rhetoric in its media statements and more neutral language in its complaints, the CFPB alleged in its press release that TransUnion “used an array of dark patterns to trick people” and “cheated customers.”

https://www.consumerfinancemonitor.com/2022/04/20/cfpb-files-lawsuit-against-transunion-and-former-executive-alleging-violations-of-2017-consent-order/

TransUnion says that the complaint is meritless and blamed the CFPB. Interesting strategy.

Expect more of this from all sides. If you are using dark patterns, consult your attorney. Better yet, just stop.

Credit: Ballard Spahr

OCC Enters Consent Order Against ‘Digital Bank’

The Office of the Comptroller of the Currency or OCC regulates federally chartered banks. Digital banks, AKA crypto vunder-kids, would like to get a bank charter for a number of reasons.

One reason is that they want access to the international banking network. Another is to show that they are all grown up.

But if you want to play with the big kids, you need to act like a big kid and in the cryptocurrency scam/racket (sorry, end of editorial), that is hard.

Enter Anchorage Digital Bank. Based in South Dakota, this was a conversion of Anchorage Trust Company. In January 2021, the OCC issued conditional approval of the conversion. As part of that, the OCC approved their operating agreement.

My guess is that this was a ‘canary in the coal mine’ and this month, the canary died.

The OCC entered a 25 page consent decree against the bank, which they did not dispute. The OCC is explaining, loud and clear, if you want to be part of the banking system, the rules that apply to every other bank, apply to you.

Okay, so what did they do wrong?

Remember that the main purpose of cryptocurrency is to hide stuff. Also to speculate, but mostly to keep the government out of their customer’s business. Even the Swiss discovered that there are limits to that and they, over the last 10 years, have begun to play nicer with the feds.

Note: to get a better picture of how hard it is for the government to stop hackers from using cryptocurrency to evade law enforcement, read this article from the Washington Post that describes North Korea’s efforts to wash the $600 million in crypto they stole last month. So far, they have washed about $100 million of it. If Anchorage Digital wants to play with the big kids, this is what they have to wrap their arms around.

Without repeating the entire consent decree, there are two major areas, not surprising, that the OCC is upset with. One is the Bank Secrecy Act, which requires banks to report suspicious activity. Aren’t most cryptocurrency transactions suspicious? That is hard to do. Second is anti-money-laundering. This requires banks to actually know who is conducting business. Like IDs and Corporate Resolutions. All that stuff that actual banks have done for years. Together these are known as BSA/AML.

Among the actions they have to complete are creating a compliance committee of outside directors within 15 days. That is no small task, given their business model. Who wants that liability? Those members have to be approved by the OCC. Then they need to create a plan of action with milestones and get that approved by the OCC. Finally, the committee has to report to both the board and directly to the OCC periodically (like quarterly) on their progress.

The consent degree is a bit geeky but easy to read and if you want to know the future of crypto currency banks and exchanges, this is kind of a road map. If you don’t follow this roadmap, the feds are pretty likely to shut you down. Maybe even throw a few people in jail as a signal to the others.

I found it a great read.

Credit: OCC

EU vs. Musk – I Need Some Popcorn

It **appears** that Elon Musk is going to take Twitter private. We have no clue what the result of that will be, but it might mean a more wild, wild west version of Twitter. He says that he wants less content moderation, for example.

This weekend the EU appears to have agreed to the framework of the Digital Services Act (DSA), which plans to put unprecedented restrictions on online content.

It seems like these two goals are at odds.

Of course, Musk could choose to pull out of Europe, but revenue-wise, that doesn’t seem wise and it will certainly open up an opportunity for others to fill the void.

The DSA will prohibit targeting consumers based on gender, ethnicity or sexual preference.

It will also ban dark patterns, a topic for an entire blog post.

These might not bother Elon much.

However, it also requires platforms to incorporate an emergency mechanism to disclose the steps they are taking to censor disinformation. He might not like that.

Fines max out at 6 percent of global revenue for a first offense (about $200 million for Twitter, PER OFFENSE) and more for repeated offenses.

It also provides a mechanism for users to sue platforms in court and new protections for minors. It also provides more enforcement by the European Commission for large platforms like Twitter.

Here is a table of specific requirements by category and size of provider.

Musk has a tradition of ignoring regulations, but that has not always worked out well for him. I don’t think the EU will take kindly to that strategy.

Still, this is definitely time for popcorn.

Other countries are looking at similar restrictions and this could be a framework for them.

Credit: Computing and The EU Commission

Security News for the Week Ending April 15, 2022

Cyber Command Says Chip Shortage is a National Security Issue

The head of U.S. Cyber Command, General Paul Nakasone, told Congress that China’s continued progress towards domestic chip production is a problem. If China achieves chip independence, that puts them in a position to do what they want and not worry about sanctions. For example, they could cut off our access to precious metals that we need to produce chips ourselves. Credit: Cyber Scoop

Russian Crooks Worried Sanctions Will Delete Their Ill-Gotten Gains

Russian crooks are nothing if not capitalists. They are worried that sanctions could impact their net worth and they are chattering about that on the underground web. They are worried about funds in Russian banks and how much their Rubles might not be worth in six months. I am so sad for them. Not. Of course, that might mean the Russian mob might do some kinetic adjustments themselves. Credit: Cyber News

CISA Advises D-Link Users to Take Vulnerable Routers Offline

CISA is really rocking when it comes to telling folks about bad stuff. The newest vulnerabilities are a remote code execution on a whole family of D-Link routers. Unfortunately, they have reached their end of support, so D-Link not going to fix them. Users all the time ask why they have to replace working hardware that has reached end of life. The answer is because you want to keep the bad guys out. If you don’t care, keep using them. You can rest easy that the hackers are scanning the Internet looking for these routers – that will never be patched. Credit: Malware Bytes

New Bug in MS RPC Runtime – Zero-Click Remote Code Execution

CVE 2022-26809 has emerged just a couple of days after patch Tuesday. It is a remotely exploitable, unauthenticated, zero-click (no user interaction) remote code execution bug. It doesn’t get much worse than that. The bug is in the Microsoft Remote Procedure Call runtime and affects multiple Windows versions. If you block port 445 at your firewall (both in and out, which you should), that will stop direct external attacks, but it won’t stop attacks from a compromised workstation. Credit: Helpnet Security

Reminder: 3G Cell Networks Shutting Down. Old Devices Will Stop Working

Wireless spectrum is scarce. Buying it from someone else is very expensive. What are the carriers doing? Reusing old spectrum. The carriers have already shut down their 2G networks. Next comes their 3G networks. That means that old cars that talk to the Internet will stop talking. Alarm systems will stop sending alarms if they can only talk 3G (there may be a box that your alarm company can add to your system to fix this). Medical devices may stop talking to your doctor. Depending on the carrier, the shutdown has already begun. AT&T turned theirs off in February. Verizon is at the end of the year. If you have anything that uses the cell network, now is the time to check. Credit: ZDNet

Ya Know Those Stories About People Listening in on Your Microphone? Yup!

Ya Know Those Stories About People Listening in on Your Microphone?

We often hear stories about people listening to you (eavesdropping) using your phone or PC’s microphone even when you think they are not. We usually attribute that to the “tin foil hat” crowd, but, apparently, that might be a bit optimistic.

Researchers at U Wisconsin Madison and Loyola Chicago say that they tested the top 10 video conferencing apps and here is what they found.

IF you are using the vendor’s platform native app, the mute button doesn’t work the same way that the OS muting function works.

Web apps that run in the browser without a local app or use WebRTC controls, turned off the mic correctly.

Software based app mute buttons – well, it depends.

Many smart speaker vendors put a physical button on the device to make people more comfortable that the mic is really off.

The researchers say that they found “fragmented policies” for dealing with the microphone when muted.

Among the apps studied – Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord – most presented only limited or theoretical privacy concerns.

The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability.

Cisco Webex does transmit audio metrics (but not actual voice) when your mic is muted. Cisco says they changed the way Webex works after they were outed.

The only sure way to disable the audio is with a hardware switch, which some headsets have. Beyond that, you are trusting the vendor.

Credit: The Register