Tag Archives: DoD

DoD Releases Draft CMMC Guidelines

The Department of Defense is probably the largest software development (and hardware development) organization in world but unlike say Microsoft or Cisco, almost all of the development is performed by third parties – the so called defense industrial base or DIB.

It is also likely the number one target of nation state hackers since a major weapons system like the F-35 might cost a trillion dollars over its lifetime and it is way cheaper for countries like China to steal the tech than to develop it.  For example, China stole the plans for the F-35 and built the J-31 (see news item here).  Unfortunately, that is far from an exception.

The DoD has been trying to tighten up security among the base of hundreds of thousands of contractors (there are 300,000 + contractors that handle sensitive unclassified information called CUI and that is just one category of information).

The government wrote a security spec called NIST SP 800-171 but enforcement has been weak.

This year, working with Carnegie Mellon, Johns Hopkins and Mitre, the DoD is developing a “Cybersecurity Maturity Model Capability” (CMMC) very similar in concept to the model Carnegie Mellon developed for software developers (CMM) back in the 1990s.

The plan is that all DoD suppliers will be required to be certified by a third party. Every year,

While the model is only at version 0.4 and will not be finalized until next January, here is what it looks like right now.

  • There are 18 domains
  • The domains are comprised of capabilities
  • The capabilities have processes and practices
  • Certification runs from level 1 to level 5
  • Level 1 requires basic cybersecurity in an ad hoc manner and is designed for small companies who are not working on very sensitive projects
  • Level 5 is advanced security practiced in an optimized fashion
  • There are 35 practices for level 1
  • For level 5, which includes levels 1-4, there are 370 practices – all subject to change at this point
  • Very few companies will need to be certified at level 5

Click here to review the overview document for version 0.4.

For those people who are familiar with the NIST Cyber Security Framework (CSF) or NIST SP 800-53, this will all look very familiar.

The problem is that a large number of defense suppliers are small businesses that have no security program at all.  For these companies, they will be required to get to at least CMMC Level 1 and be certified annually by a third party.  This could come as  a shock to some.

While DoD messed around with enforcing NISP SP 800-171, there have been a number of serious DoD breaches over the last few years which have embarrassed the Pentagon brass, so it APPEARS that they are serious about this.  WE. SHALL. SEE.

The plan is for the standard to be done by January – warp speed for DoD, be included in RFIs by June and be included in RFPs by September.  Assuming they don’t blink (and it would be easy to put it into selective RFPs as opposed to making it a mandatory requirement), that would mark a huge change for the Department.

A complete copy of the draft can be found here.

My suggestion – if you are anywhere in the DoD supply chain – is to start learning about the CMMC and begin implementing basic cybersecurity practices now.  If you are at the more sensitive end of the DoD food chain – Secret, Top Secret and SCI – start looking at CMMC Levels 3 thru 5.

DoD has also said that they are going to start including security along with cost, schedule and function in contract awards and Katie Arrington has publicly said that DoD understands that they are going to have to pay for some of this.  Katie is the special assistant for cybersecurity, reporting up to Ellen Lord, who is the Undersecretary for Acquisition and Sustainment – the person who is responsible for buying tens of billions of dollars of weapons every year.

Read these documents and get started now because if DoD actually does what it says, it will be a scramble to comply and if they actually make security an award criteria, doing it later won’t matter – you won’t get the award.

Facebooktwitterredditlinkedinmailby feather

Navy Trying to Fix Their Cybersecurity Mess and Congress is Not Helping

After a horrifying independent review of the Navy’s current cybersecurity posture,  the Navy asked Congress to approve a new position of Assistant Secretary of the Navy to handle  cyber.  This comes after the Navy eliminated the role of CIO last year.

Congress turned them down, so now they are going around Congress to create a Special Assistant to the Secretary for Information Management/Chief Information Officer, which does not require Congressional approval.  They are also going to assign about 15-20 people to a team to work on the task.  Since there is no new money for this, many of these people will be getting additional jobs.  That, of course, will make them less effective, but at least the Navy is trying.

The Navy will also be hiring four senior leaders to run directorates inside this new office: a chief technology officer, a chief data officer, a chief digital strategy officer and a chief information security officer.  Congress has authorized special pay in certain areas like this at the rate of 1.5 times that of the Vice President of the US or about $300,000 a year per person.  They hope to attract folks from industry with numbers like this.

Their objective is to improve security across the Defense Industrial Base in light of the Chinese (and others) threat.  A key priority is to get second, third and fourth tier suppliers to implement strict cybersecurity regulations, specifically NIST SP 800-171.

Many contractors have ignored the requirements of 800-171, in part because of the cost and in part because the DoD has not been enforcing it.  In combination with the new proposed third party cybersecurity certification requirement (CMMC) that the DoD is talking about implementing next year, contractors who ignore these requirements may effectively eliminate themselves from getting any DoD contracts.  A good strategy would be to up your cybersecurity program effort in advance of these new rules going into effect, because it will take a while to get your program up to speed.

Source: Federal Computer Weekly.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites For The Week Ending January 18, 2019

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update:  The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper.  All computers and servers were turned off and the city disconnected from the Internet.  While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next.  It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000,   We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks.  Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion.  Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent.  China is a very important growth market for China since most of the western world is i-saturated.  If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales.   Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead.  Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10.  While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue).  Not to worry though, Apple still has over $100 billion in cash in the bank.  (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm.  In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China).  This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above.  (Source: Bleeping Computer).

 

Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover.  The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage.   It is reasonable to assume if we found these holes, there are more to be discovered.  In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management.  Just because a vendor is big does not mean that it is secure.  Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now.  Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned.  Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors.  Of them, 5 did not always use multi-factor authentication when accessing missile information.  They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes.  That fundamentally is the problem.  If there are no consequences to ignoring the rules, then many people just won’t bother.  Source: Motherboard.

 

Facebooktwitterredditlinkedinmailby feather

DoD Moving Forward on Cybersecurity After Breach

In the wake of the cybersecurity disaster at the Naval Undersea Warfare Center, where a contractor lost control of over 600 gigabytes of extremely sensitive weapons system data for the Sea Dragon program, the DoD is reacting.  Sea Dragon, based on the few details we have, is a disruptive offensive weapon targeting Chinese submarines.

Among the data compromised is cryptographic information about how the subs communicate.

Now the Chinese have those secrets and the billions of dollars probably spent on the program may be flushed down the toilet.

DODDAC, the Department of Defense Damage Assessment Center, is trying to assess the level of damage that was done.  It is likely that we will never find out the true impact of this breach.

The category of information that was breached is known, generally, as controlled unclassified information or CUI.  The DoD has been talking for years about implementing an acquisition rule called DFARS 204.252-7012, securing controlled unclassified information and NIST SP 800-171, the how to guide for doing that.  December 31, 2017 was supposed to be the date the regulation went into effect, but in mid December the DoD blinked.  Again.  The instructions to industry were that they just needed to have a plan for becoming compliant.

But the problem is that no one was assigned to fix the problem.

In the wake of this new and recurring scandal, Defense Secretary  Jim Mattis ordered the Under Secretary of Defense for Intelligence to deal with this.  The Under Secretary instructed the Defense Security Service, who is accountable for managing classified information in the defense contractor community, to come up with a plan to manage controlled unclassified information too.  The challenge with that is the amount of controlled unclassified information and the number of people handling it dwarfs the amount of classified information by many times.

Given this, what should defense contractors and sub-contractors do now?

While we don’t know the how and the when, it is very likely that DoD will begin to clamp down on how contractors handle CUI and the Defense Security Service will expand their sphere of influence to contractors handling CUI.  Starting with the primes – and letting them handle the subs.  We have seen that this has already started, but we believe it will accelerate.

For the most part, what NIST 800-171 mandates is “best in industry” cyber security practices.

If you are a contractor, you should be actively working on becoming compliant.  You should have been already doing this, but there should be more urgency now.  Starting with implementing the policies, procedures and practices and moving on from there.  Adding the controls and monitoring; incident response and so on.

While we don’t know when, my guess is General Mattis does not want another disaster on his watch and he already has the regulations on the books to help fix the problem.  All he needs to do is make it happen.  Remember, Generals, especially Marine Corps Generals,  are very good at “making it happen” and I would not question his desire to not be embarrassed again.  He is going to have to, at some point, explain to Congress why the billions of dollars they gave him have been wasted.  Not a fun conversation.

Given all this, being prepared is a really good plan.  We can help.

Information for this post is based on a memo from the Pentagon.

Facebooktwitterredditlinkedinmailby feather

Pentagon Blocks Links In Email

The Pentagon has a better way to stop users from clicking on phishing email – neuter the emails.

Below is an example of what the email that you send to someone in the DoD might look like before it enters the DoD email system and when the user sees it.

LinksEnabled               Linksdisabled

Needless to say, from the user’s standpoint, the resultant email is basically trash.

In part, how bad things are will depend on how much of the HTML in email they disable.  If they disable all of it, for DoD users, email goes back to the way it was in 1980.  If you send anything other than a text email with no linked graphics and no formatting, the user will be not able to read it.

If you send an email that links to content out on the ‘net, which a lot of corporate email does (like the example above), the user will likely just delete it.

If the graphics are embedded in the email (which is the way it was in the early 2000s until that resulted in emails that were so large that email servers could not deal with them), then the DoD mail scrubbing software will be able to analyze the embedded graphics for harmful content and probably your email will emerge mostly unscathed.

What this means for people who send email to DoD mailboxes is that they are going to need to be conscious of how that email is constructed and what their DoD user is going to see.

Certainly for any form of advertising email/ product email/ blog etc., businesses are probably going to need to rethink their strategies and come up with a different format of email for those millions of DoD users.

Of course, there is another option that DoD users have been using for years and that is GMail.  I have lost count of the number of DoD people who have told me over the years to send my emails to them at their GMail accounts because DoD emails are unreadable.

Of course, all that does is move the entry point for the malware from Outlook to the browser.  That’s sure a lot safer – NOT!

*IF* DoD blocks GMail and other webmail solutions, that would make things very difficult for DoD users – but that likely is going to be required.  If the DoD user can’t click on a phishing link in their Outlook mail but can click on that link in their GMail, how have we helped things?

IF corporations start neutering emails, that will make marketers very unhappy.  They have spent a lot of time and money attempting to make email pretty and if you force them to go back to 1980 email in order to get something that a corporate user can even read – that will be a problem.  The good news is that is completely unlikely to happen except at the very most security sensitive companies – maybe a fraction of one percent or less.

Still, it could get interesting.  And at least for the millions of DoD users, it is going to happen.

 

 

Information for this post came from Federal Computer Weekly (FCW)

Facebooktwitterredditlinkedinmailby feather