In a concerted effort to spread the word on the threat posed by China to governments at the state and local level as well as businesses of all sizes, the U.S. National Counterintelligence and Security Centre (NSCS), issued a “Safeguarding Our Future” bulletin. “Protecting Government and Business Leaders at the U.S. State and Local Level from People’s Republic of China (PRC) Influence Operations” differs from previous warnings on China’s use of social networks, pseudo-state-sponsored hackers, etc. The NSCS highlights how the Chinese intelligence apparatus uses the whole-of-government approach as they work to acquire information in support of the Communist Party of China (CCP) directives.
Author: Christopher Burgess
If one was to build a Venn diagram to compare the onboarding, educating, supervising, and offboarding of staff versus contract workers, the areas differences might offer a surprise. In this case, surprises aren’t what a CISO wants to encounter. Thus, such a diagram as part of their insider risk threat management program highlights the delta between the two types of workers and how they are handled.
The concept of core and context when it comes to separating the duties of the full-time-equivalent workforce into staff and independent contractors has long been an ongoing challenge for every enterprise and small- to medium-sized business. Add to the mix the contracted service offerings -- for example, a managed security service provider -- and entities find themselves handing the keys to the kingdom over to a third party to handle tasks at hand. On top of that, the past two-plus years have caused many an entity to undergo a momentous change to how employees/independent contractors engage, with a noted influx in the remote work option.
In a riff on the “Field of Dreams” theme, Russian cybercriminals continue to court their Chinese counterparts in hopes of forming mutually beneficial avenues of collaboration and are finding the Chinese to be a tough date. The latest peek into this engagement of Russia-China “frenemies” comes to us from Cybersixgill and its The Bear and The Dragon analysis of the two communities.
Russian cybercriminals motivated by money, Chinese by knowledge
The Cybersixgill findings have the two cybercriminal communities colliding and attempting to form what appears to be a “fledgling alliance.” This is a step above where the situation stood in November 2021, when Flashpoint Intelligence connected the dots between Chinese and Russian threat actors.
Insider threat and risk management programs are the Achilles heel of every corporate and information security program, as many a CISO can attest to. The MITRE Inside-R Protect program is the organization’s latest initiative to assist both public and private sector efforts in addressing the insider threat. The Inside-R program’s bar for success is high. The focus of Inside-R is on evolving analytic capabilities focused on the behavior of the insider. To that end, MITRE invites the participation of government and private organizations to provide their historical insider incident data to the organization’s corpora of information from which findings are derived.
The market for you and your device’s location is enormous and growing. That data is collected by your network provider, by apps on your smart devices, and by the websites with which you engage. It is the holy grail of marketing, and infosec’s nightmare.
Companies that produce location-tracking algorithms and technological magic are riding the hyper-personalized marketing rocket, which continues to expand at breathtaking speed. In the fall of 2021, Grandview Research estimated the U.S. market alone to be approximately $14 billion USD and expected it to expand at a compound annual growth rate (CAGR) of 15.6% from 2022 to 2030.
Congressional hearings on artificial intelligence and machine learning in cyberspace quietly took place in the U.S. Senate Armed Forces Committee’s Subcommittee on Cyber in early May 2022. The committee discussed the topic with representatives from Google, Microsoft and the Center for Security and Emerging Technology at Georgetown University. While work has begun in earnest within industry and government, it is clear that much still needs to be done.
The hearing chair, Senator Joe Manchin (D-WV), articulated the importance of AI and machine learning to the armed forces of the United States. Additionally, the committee highlighted the “shortfall of technically trained cybersecurity personnel across the country in government and industry alike.” This perspective aligns with the Solarium Commission report, which was subsequently released in early-June 2022.
The Cyberspace Solarium Commission 2.0 released its most recent report on June 02, 2022. This iteration re-affirmed the continued need for public-private partnership in cybersecurity, including the development of shared resources and increased investment in a cyber workforce. Additionally, the report included a plethora of recommendations for the U.S. national cyber director’s action concerning educating and developing the national cyber workforce, as well as expanding the hiring authorities for cyber positions, and establishing “special pay rates for the most in-demand roles.” The 43-page report included seven fulsome recommendations for the national cyber director, U.S. Congress, and the private sector, which if adopted would serve to enhance the recruitment, retention, and performance of the nation’s cyber workforce in both public and private sectors.
If one was to look into the Federal Court’s Public Access to Court Electronic Records (PACER) one would see that more than 130 separate lawsuits have been filed against the U.S. Government’s Office of Personnel Management (OPM), all of which are associated with the 2014 and 2015 data breaches that affected millions.
On June 3, 2022, in the U.S. District Court of the District of Columbia, Judge Amy Berman Jackson will hold a video hearing on the proposed settlement of $63 million between the U.S. Government’s OPM, its security contractor Peraton (then KeyPoint), and the victims of the OPM data breaches.
The lawyers continue to gather their billable hours as the legal tussle between data science company hiQ Labs and LinkedIn plays out in the United States federal courts. The most recent update took place in the Ninth Circuit Court of Appeals, with Judge Marsha Berzon writing the opinion, where hiQ Labs was granted a continued preliminary injunction, which would allow the company access LinkedIn’s publicly available corpus of data. The ruling also remanded the companies for further proceedings on the subject. In addition, the court held that hiQ’s actions do not violate the U.S. Computer Fraud and Abuse Act (CFAA).
Truth, transparency and trust are the three T’s that all CISOs and CSOs should embrace as they march through their daily grind of keeping their enterprise and the data safe and secure. Failure to adhere to the three T’s can have serious consequences.
Case in point: A federal judge recently ordered Uber Technologies to work with its former CSO, Joseph Sullivan (who held the position from April 2015 to November 2017), and review a plethora of Uber documents that Sullivan has requested in unredacted form for use in his defense in the upcoming criminal trial.
The case against Uber’s former CSO
By way of background, Uber’s former CSO faces a five-felony count superseding indictment associated with his handling of the company's 2016 data breach. The court document, filed in December 2021, alleges Sullivan “engaged in a scheme designed to ensure that the data breach did not become public knowledge, was concealed, and was not disclosed to the FTC and to impacted users and drivers.” Furthermore, the two individuals, who are believed to have affected the hack and subsequently requested payment for non-disclosure ultimately received $100,000 from Uber’s bug bounty program. These individuals were identified in media as, Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, both of whom were later indicted for their breach of Lynda (a company acquired by Linkedin).