Category Archives: Legal

Executive Order on Cybersecurity Part 3

This executive order is a big one – and very aggressive. Here is part 3 of what is in it. I am going to keep doing this until I get all the way through this almost 40 page document.

In part 2, I provided the abridged version of section 4 of the EO. This is the full version.

If you develop software, this is going to be your best practices guide. Correction, this is going to be your minimal acceptable practices guide.

YOU SHOULD ASSUME LARGE COMMERCIAL BUSINESS CUSTOMERS WILL BE ASKING YOU ABOUT YOUR COMPLIANCE WITH PART, WITHOUT REGARD TO WHETHER YOU SELL TO THE GOVERNMENT. THIS IS YOUR NEW REQUIREMENTS SPECIFICATION. FOR MANY OF THEM, NON-COMPLIANCE WILL MEAN DISQUALIFICATION FROM CONSIDERATION AS A VENDOR.

Sec. 4.  Enhancing Software Supply Chain Security. 

Supply chain is, of course, what was at the root of the SolarWinds attack and the Exchange server attack, so doing something to shore that up only makes sense.

  • Within 30 days, NIST will solicit input from government, industry and academia to identify existing or develop new standards, tools and best practices for improving supply chain security.
  • Within 6 months NIST must publish guidelines to enhance software supply chain security based on the conversations above.
  • Within a year NIST must publish additional guidelines, including rules for updating what has already been released.
  • Within 3 months of releasing the preliminary guidelines, NIST must issue guidance including standards and procedures for: secure software development processes, generating and producing documents to provide that they are following such practices, using automated tools to maintain trusted code, producing reports on the results of using such tools and making a summary available publicly, maintaining and providing a Software Bill of Materials (SBoM), running a vulnerability disclosure program, attesting to all of these practices and attesting to the extent possible, to the integrity and provenance of any open source software used. THIS ITEM WILL BE A HUGE CHALLENGE FOR MOST ORGANIZATIONS.
  • Within 60 days NTIA will publish a minimum standard for what needs to be in an SBoM.
  • Within 45 days NIST and the NSA will define what is covered by critical software. That software is what this EO applies to.
  • Within 30 days of the above, CISA will identify a list of categories of software and products that meet the definition of critical software.
  • Within 60 days of the EO NIST will publish guidance for security measures for critical software. Note that the timeline of these last 3 items is very tight. Then OMB has 30 days to make sure that agencies are following this guidance. This includes making sure that new software acquisitions follow these rules. Agencies can request an extension which will be reviewed on a case by case basis. Waivers will also be possible, but only for a limited time period and only in exceptional cases.
  • Within a year DHS, the AG, OMB and the OEG will recommend FAR changes to the FAR council. The FAR council will then review and amend the FARs.
  • Once the FARs are updated, agencies must REMOVE software that does not meet the new FAR requirements from and IDIQ contracts, FWACs, BPAs and multiple award contracts – basically all of the large purchasing vehicles that the government uses.
  • OMB will require agencies using legacy software acquired before EO to either comply with the new requirements or get either an extension or a waiver.
  • Within 60 days NIST and the NSA will release software testing guidelines.
  • NIST will create a pilot program for labelling consumer IoT products for security capabilities. They will do this in a way that “incentivizes” manufacturers to participate.
  • Within 9 months the FTC will see if they can force participation in an IoT security labelling program via any existing laws (such as section 5 of the FTC act).
  • Within 9 months NIST and the FTC will identify secure software development practices to be part of the consumer IoT security labelling program above.
  • Within a year NIST will review these labelling programs for effectiveness and determine what improvements need to be made.
  • And, finally for this section, after a year, the Secretary of Commerce shall report to the President on what progress has been made regarding the requirements of this section.

Security News for the Week Ending May 21, 2021

Teslas can be Hacked via a DRONE Without any Owner Interaction

Researchers have shown how they can hack a Tesla from a done without the owner even being aware that he or she is being attacked and particularly, without the owner being involved in the takeover of the car. The attack, called TBONE, was reported to Tesla under its bug bounty program. The attacker can open the doors (and therefore steal anything inside), modify configuration items like driving mode, steering and acceleration modes, but the drone can’t (yet) drive the car. The drone has to be within a 300 feet radius of the car to execute the attack. Of course, the attacker could also be sitting in a parked car nearby – doing the attack from a drone is just cooler. As a result, Tesla issued a patch that stopped using the vulnerable component, but, apparently, many other car makers still use it. Credit: Security Week

FBI’s IC3 Logs 1 Million Complaints in 14 Months

The FBI’s Internet Crime Complaint Center (IC3) took SEVEN YEARS to register its first million complains. The most recent million only took 14 months. Obviously, the IC3 is better known now, but this only considers people who go to the effort to file a complaint. This represents a 70% increase in complaints between 2019 and 2020. This is not a great trend. Credit: Dark Reading

Let the Lawsuits Begin – Bitcoin Speculation is, Well, Speculative

Bitcoin is worth somewhere between $1 and $50,000, depending. Depending on what? Depending on the mood of social media. Right now 1 coin is down about $15,000 from a week ago. That is timed to when Elon Musk said that his starting of DogeCoin was a joke. The drop also times with Musk saying that Tesla would no longer accept cryptocurrency for cars. He said they were concerned about all of the energy needed for Bitcoin mining. Assume lawsuits will follow, even though they don’t seem to have any merit. In the meantime, there is billions of dollars lost in speculation. Credit: Vice

Darkside Gets Taken to Hacker’s Court

For Not Paying Other Hackers

Darkside is the hacking group behind the Colonial Pipeline attack. After the attack, they were so toxic that they shut down – after taking all their Bitcoins with them. The problem with that is that they ran a ‘hack as a service’ model, so they owe other hackers lots of money. Therefore, the crooks are turning to the court system. No, not that court system. The hackers own court system. Just part of their business model. The good guys have been tracking this; they even have screen shots. To the hackers, it is just business. Credit: Threatpost

Attack on Florida Water Plant Was Not Its First

The Florida water treatment plant that was hacked earlier this year and nearly poisoned the entire town — that was not the first attempt on the plant. It turns out that a vendor that builds water treatment plants (infrastructure) hosted malicious code that was designed to attack water treatment plants in general. It is not clear that the attacks were successful. It looks like the hackers who had compromised that infrastructure vendor were only in the reconnaissance stage – collecting information about the visitors, but in the time window that the malware was active, 1,000 folks visited that web site. Clearly, the hackers are after the infrastructure. You could threaten to kill people or even destroy the plant. That would probably get them paid off. Credit: The Hacker News

Executive Order on Cybersecurity Part 2

As I said yesterday, some EOs are a couple of paragraphs long. This one goes on for pages. Today’s post is going to cover the section of the EO that addresses supply chain risk. Supply chain risk, as we saw in both the SolarWinds and Microsoft Exchange attacks, is a huge problem. So what does the EO do?

  • The Commerce Department, through NIST, has only 30 days to solicit input from government, academia and the public to identify existing or develop new standards, tools and practices for complying with other requirements in this EO.
  • NIST must publish preliminary guidelines for complying with this EO within 180 days.
  • Within 360 days NIST will publish guidelines for reviewing and updating the guidelines above.
  • Within 90 days NIST must issue guidance identifying practices that enhance the security of the software supply chain. This must include standards, procedures or criteria described below.
  • – Secure software development environments
  • – Creating and delivering documentation proving the use of SSDL practices
  • Within 60 days, Commerce and NTIA must publish minimum elements for an SBOM. NTIA has been working on this since 2018 and I have been involved in this effort. This is critical.
  • Within 45 days NIST, consulting with the Secretary of Defense (SecDef), shall publish an official definition of what software is considered critical. Likely this includes anything that runs with more than normal user permissions. Then, within another 30 days, CISA will release a list of categories of software and software products that fit into that definition.
  • Within 60 days, NIST and CISA will release guidance for required security measures for critical software.
  • Within 30 days, OMB will take appropriate steps to make sure agencies comply with this guidance and specifically with respect to software that they obtain after this EO was issued.
  • While agencies may ask for an extension in complying with a specific requirement, OMB will review those requests on a case by case basis.
  • Within a year, OMB will provide recommended FAR language changes to the FAR Council.
  • Within 60 days, NIST, consulting with NSA and SecDef shall publish software security testing guidelines.
  • Within 270 days NIST must identify IoT cybersecurity criteria for a consumer (security) labelling program. This shall reflect increasingly comprehensive levels of security testing.
  • Within 270 days NIST must identify security software development practices or criteria for a consumer software labeling program. The labeling shall reflect a baseline level of secure practices and if practicable, increasing levels of comprehensive testing and assessment.

Okay, I left a bunch of section 4 out for clarity. The highlighted items will affect consumers or are otherwise important. I am sure that some companies will try to sue the government. Congress may have to act. But even if these labels and standards are voluntary for now, some companies will think it is great marketing to push what they are doing and the other companies will be pressured to step up to the plate. If some companies lie about what they are doing, the FTC can come after them.

We are now about half way through the EO. As you can see, this has a lot more meat than most EOs. If you sell products (hardware or software) to the government, to other companies that sell to the government or to consumers, you need to be considering your plans now.

Credit: The Cybersecurity Executive Order

Executive Order on Cybersecurity Part 1

While this EO and almost all EOs only affect what executive branch agencies do, it is likely that it will have a big effect on cybersecurity in general. Here are some requirements:

  • The government uses a lot of commercial cloud software. Current contract terms may limit what data a cloud provider is allowed to share with departments or agencies that are responsible for investigating or remediating cyber incidents. In some cases, the reverse may be true – service providers may not be contractually required to share information on malicious activity on their systems unless the agency is the direct target or victim. Even if they are required to notify that agency about a breach, they may not be allowed or required to notify, say, the FBI. If it is not in writing and it hurts the image of the company – well, they are probably not going to tell. The service providers may have contracts with other customers which prohibit them from disclosing information about that customer to, say, the government.. The OMB has 60 days to make recommendations for changes to the FARs and DFARS to facilitate information sharing. This new language needs to address collection and preservation of data and a requirement to share this data with whoever OMB thinks is important. The FAR council has 90 days to publish proposed changes after that.
  • Within 120 days DHS and the FBI need to take steps to maximize the data sharing with service providers that is possible under current contracts.
  • Within 45 days, DHS, working with NSA, the AG and OMB needs to recommend to the FAR council contract language regarding what cyber incidents must be reported with a not to exceed reporting window of 3 days for serious incidents.
  • Within 60 days DHS/CISA, working with NSA, OMB and the GSA shall review agency specific policies and contract terms for cybersecurity and make recommendations to the FAR council on standard language. The FAR council has 60 days to publish their recommendations based on this input.
  • Here is one that will likely affect the entire industry. The federal government will adopt security best practices, advance zero trust, move towards secure cloud services, etc. Agencies have 60 days to come up with a plan.
  • Within 90 days, OMB, CISA and GSA will come up with a coordinated cloud security strategy and provide guidance to agencies.
  • Within 90 days the same team will develop and release a standard cloud security architecture for agencies to use in procurements.

This is just from section 3. More later on other sections. Look at these requirements. A REALLY short time line for the federal government. Normal timelines are measured in years or decades. It requires standards. Obviously this won’t get DONE in 45-60-90 days, but the roadmap will be developed. Understand that with this kind of aggressive timeline, the results will not be pretty, but it should move things in the right direction. That will impact everyone who sells to the government and clearly, they are not going to develop two separate versions of the product – one for the government and one for everyone else.

Look for more information on the EO tomorrow.

Source: White House EO on improving cybersecurity

Cybersecurity News for the Week Ending May 14, 2021

If You Thought the FTC Was Toothless Before, Just Wait

I always complained that the FTC’s penalties were way too meek. Now I understand why, but it has just gotten MUCH worse. 99.99% of the blame goes to Congress. Initially, the FTC could not bring lawsuits against businesses at all. All they could do was to hold an administrative hearing. Then they could issue telling a business to stop doing bad things. In 1973 Congress added Section 13(b) to the FTC act, allowing the FTC to go to court and get an injunction – again no penalty for past bad deeds. In 1975 Congress added Section 19 which allows the FTC to seek monetary damages – after obtaining a cease and desist order and then only after future bad deeds which were obviously malicious, so still no relief. Last month the Supreme Court agreed that Congress, in its stupidity, did not grant the FTC any ability to make consumers whole for companies that break the law. Individually, a person can still sue the company – spending a lot money and years. Maybe they can convince some State AG to take up their case – maybe. If you can convince the Justice Department to go after some company, that is possible too, but all of those take years, maybe a decade with appeals. Congress intentionally neutered the FTC. This is the result. Will Congress act now? Your guess is as good as mine. Credit: ADCG

Apple is Privacy Focused – Except if it Hurts their Rep

Epic games and Apple are fighting in court and lawsuits tend to get dirty. In countering Apple’s argument that they didn’t want Epic to bypass their store because they want to protect their customers, Epic trotted out emails that Apple chose not to notify 128 million customers after a supply chain attack called XcodeGhost. This is the largest ever known attack against Apple products. They said notifying all those people would be hard and it would damage their reputation. They never did notify anyone. So much for being a privacy focused company.

The True Cost of Ransomware

Insurance giant CNA, which announced that it suffered a “sophisticated cyberattack” (what you and I call ransomware) in March. This week, two months later, they announced that all of the systems were back up and that yes, surprise, it was a ransomware attack. They said it took them two months to get back online because they had to restore each system, then scan and clean it and finally, harden it. This is the cost of ransomware. A lot of hard work and more importantly, months of time. If you do not have good backups, add to that the loss of data. And, as Colonial Pipeline learned this week, just because the hackers give you the decryption key, it doesn’t mean that the decryption process will be fast (they said that they were restoring from backups, even though they paid the $5 million in ransom) or that it will even work. Credit: Security Week

Global Chip Shortage Much Worse than Communicated

OUT OF STOCK! Expect to see more of that message.

In addition to phones, computers and laptops, expect to see those signs elsewhere such as appliances and kids toys. Already car makers are replacing cool tech like high tech entertainment consoles with radios. Probably with knobs and dials. Maybe that fancy auto-parking feature, well it is not available. Manufacturers are looking at which products are more popular or offer them higher margins and just not shipping some other models. Samsung is considering completely skipping the next generation of the super popular NOTE phones altogether. Expect the problem to continue into and through 2022. Credit: ZDNet

China has Collected Health Data of 80% of US Adults

China wants our data. Our health data is particularly useful because our population is very diverse. That makes us useful for them to test their software and systems on. Besides stealing that data, the are doing things like setting up Covid testing labs. What do you get with every sample? Our DNA. China wants to beat the US out of the biotech industry and stealing our data is helping them. Credit: The Hill

Colonial Pipeline – the Saga and the Fallout

The saga of the Colonial Pipeline hack continues. Colonial says that there is fuel flowing through the pipeline again but it will take time to get all of the tributary lines operational.

But more importantly, many sources are reporting that Colonial paid $5 million in cryptocurrency to the Russian hackers on Friday, contradicting earlier reports that the company did not plan on paying the ransom. They paid the ransom, it is being reported, immediately. Even though Treasury said that paying terrorists a ransom violated OFAC and could land you in jail for 20 years, in this case the government, apparently knew about the payment and, well, we don’t know what the conversation was. My guess is they said, oh, in the case of critical infrastructure, the law doesn’t actually apply.

Next, it is being reported that the decryption tool was so slow that Colonial is restoring from backups in parallel with decrypting their servers.

The White House did a “no comment” on whether they knew about the ransom, which, of course, in political talk means, of course we knew.

One pundit pointed out that if the lack of security had been going on for years, paying the ransom was way cheaper than actually protecting the network.

Credit: Bloomberg

Next comes some more bad news for Colonial. Three years ago Colonial hired an outside auditor. The auditor said that they found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,”

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

In response, the company said that they had hired four independent firms and increased their spending by 50%, whatever that means. They said they have spent tens of millions of dollars. So, for one of the largest oil companies in the country, possibly this means that they spent $10 mil/4 years = $2.5 million a year. Hmmm. We don’t know, but it doesn’t seem impressive.

On the other hand, this is likely wonderful ammunition for the plaintiffs’ attorney.

Credit: The Washington Post

Finally, likely in response to this mess, the White House released its much talked about and long waited for cybersecurity executive order. Think of an EO as an inter-departmental memo. All the President can do is make some changes in how the executive branch interacts with vendors. On the other hand, they spend tens of billions of dollars a year, so if a company wants to continue to do business with the government, they will have to follow the EO’s procurement rules. And, they likely cannot have two sets of rules, one for government sales and one for commercial sales.

Here are some of the things that the EO covers:

  1. Removes contract barriers between the government and IT providers to information sharing and requires providers to share breach information.
  2. Moves the government towards secure cloud, zero trust and multifactor authentication.
  3. Makes a baseline security standard for software sold to the government a requirement and requires developers to make security information public.
  4. Establishes a Cybersecurity Safety Review Board that will operate like the NTSB after a plane crash (Colonial definitely fits into that category).
  5. Creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.
  6. Creates standards for endpoint protection in government systems, incident response and improves incident detection.
  7. Creates a standard requirement for agency security event logs to better analyze incidents.

There is lots more (the EO is over 30 pages; many EOs are 1-2 pages). Commerce (NIST) gets to create #3 and apparently, it even requires SBOM – Software Bill of Materials.

The devil is in the details, but this is only about 25 years overdue.

More to come on the EO, but this is turning into a PR nightmare for Colonial. I am guessing the vultures, err, lawyers, have already started circling over the carcass.