Defense Cybersecurity: Protecting Controlled Unclassified Information Systems

DOD computer systems contain vast amounts of sensitive data, including CUI that can be vulnerable to cyber incidents. In 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in an 11-day shutdown while cyber experts rebuilt the network. This affected the work of roughly 4,000 military and civilian personnel.

In response to Section 1742 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, in June 2021 DOD submitted a report to the Congress on cybersecurity of CUI. The report discussed the extent to which DOD had implemented selected cybersecurity requirements across the department. The act included a provision for GAO to review DOD's report, and GAO has continued to monitor the department's subsequent progress.

This report describes 1) the status of DOD components' implementation of selected CUI cybersecurity requirements; and 2) actions taken by DOD CIO to address the security of CUI systems.

GAO's review focused on the department's approximately 2,900 CUI systems. GAO examined relevant CUI cybersecurity requirements and data from DOD information technology tools. Also, GAO analyzed documentation such as relevant DOD cybersecurity policies and guidance on monitoring the implementation of cybersecurity requirements, and interviewed DOD officials.

The Department of Defense (DOD) has reported implementing more than 70 percent of four selected cybersecurity requirements for controlled unclassified information (CUI) systems, based on GAO's analysis of DOD reports (including a June 2021 report to Congress) and data from DOD's risk management tools. These selected requirements include (1) categorizing the impact of loss of confidentiality, integrity, and availability of individual systems as low, moderate, or high; (2) implementing specific controls based in part on the level of system impact; and (3) authorizing these systems to operate. As of January 2022, the extent of implementation varied for each of the four requirement areas. For example, implementation ranged from 70 to 79 percent for the cybersecurity maturity model certification program DOD established in 2020, whereas it was over 90 percent for authorization of systems to operate.

DOD is not required to implement all 266 security controls. In some cases, a specific security control may not be applicable to a particular system due to its function. Also, there are some systems for which the authorizing officials may need to implement security controls that are in addition to the 266 identified as moderate-impact for confidentiality because of the type of information that is stored or transmitted in that system.

As the official responsible for department-wide cybersecurity of CUI systems, the DOD Office of the Chief Information Officer (CIO) has taken recent action to address this area. Specifically, in October 2021 the CIO issued a memorandum on implementing controls for CUI systems. The memo identified or reiterated requirements that CUI systems must meet. These included requiring additional supply chain security controls and reiterating that all CUI systems have valid authorizations to operate. In addition, the CIO reminded system owners of the March 2022 deadline for all DOD CUI systems to implement necessary controls and other requirements. The Office of the CIO has been monitoring DOD components' progress in meeting this deadline.

CISA Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the US

The Cybersecurity and Infrastructure Security Agency convened a three-hour call with over 13,000 industry stakeholders to provide an update on the potential for Russian cyberattacks against the U.S. homeland and answer questions from a range of stakeholders across the nation.

As President Biden noted, evolving intelligence indicates that the Russian Government is exploring options to conduct potential cyberattacks against the United States. CISA echoed the President’s warning on the call and reinforced the urgent need for all organizations, large and small, to act now to protect themselves against malicious cyber activity.

On the three-hour call, CISA Director Jen Easterly, Deputy Executive Assistant Director for Cybersecurity Matt Hartman, and Tonya Ugoretz, Deputy Assistant Director for the FBI’s cyber division, encouraged organizations of all sizes to have their Shields Up to cyber threats and take proactive measures now to mitigate risk to their networks. They encouraged those on the line to visit CISA.gov/Shields-Up to take action to protect their organizations and themselves and urged all critical infrastructure providers to implement the mitigation guidelines enumerated on CISA.gov/Shields-Up, including:

- Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
- Update the software on your computers and devices to continuously look for and mitigate threats;
- Back up your data and ensure you have offline backups beyond the reach of malicious actors;
- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
- Encrypt your data;
- Sign up for CISA’s free cyber hygiene services; and
- Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.

Director Easterly urged all organizations, regardless of size, to contact CISA immediately if they believe they may have been impacted by a cyber incident. When cyber incidents are reported quickly, CISA can use the information to render assistance and help prevent other organizations and entities from falling victim to a similar attack.

The event built on a series of briefings that CISA has been convening since late 2021 with U.S. Government and private sector stakeholders at both classified and unclassified levels. This outreach was provided to Federal Civilian Executive Branch Agencies, Sector Risk Management Agencies, private sector partners, state, local, tribal, and territorial (SLTT) governments, and international partners. To date, CISA has hosted or participated in more than 90 engagements reaching tens of thousands of partners.

Security Industry world-wide preparing and bracing for the expected crime wave that may occur because of the Russian and Ukrainian affair

The pandemic resulted in an economic meltdown with crime related issues. The Russian and Ukrainian saga is a global threat because it impacts globally on the energy security. Oil and natural gas are the foundation to all costs for living. Besides such, Ukraine exports grains to many countries which will add and impact the cost of food such as cooking oil, bread and beer.

A second economic meltdown after the pandemic that initially lip-slapped the economy would be a massive blow to all financial sectors and industries.

Statement
Kunwar Singh, Chairman of CAPSI | Central Association for Private Security Industry states ‘’ the private security industry is larger than any military force in the world. The private security has the skills to manage the behaviour of the population. Furthermore, the industry has the skills, technology and equipment to find the crime and stop it more effectively. Simply put the security industry is providing more eyes on the ground therefore supporting the police in locating and catching criminals. The security industry must be acknowledged as a vital partner by the regulators’’.

CAPSI [Central Association for Private Security Industry], ISIO[International Security Industry Organization] and SASA (representing 9.15 million practitioners) call upon all security regulars world-wide to take certain steps to ensure a wider market for the legitimate traders. The regulators must protect the industry against illegitimate security companies and practitioners besides criminal elements that could attempt to penetrate the industry.

Learning from History
The economic meltdowns of the past recorded long lines of unemployed people and hungry people. The recent and current statistics related to the meltdown due to the pandemic affirm once again that many are jobless. Every country could be the same or their unique issues relating to the associated crime. One could deduce that whatever the stats were regardless of location, the levels of crime escalated. An example of recent demonstration and riots. These occurred in certain countries that experienced massive mobs against vaccinations.

In specific locations there were mass groups looting under the guise of a politically induced narrative. There were small mob attacks directed towards migrant owned small business besides increased number of pro-nationalist demonstrations on businesses that employ migrants under the banner ‘give the jobs to the citizens. The practitioner should consult their own crime statistics in their location and may be surprised at the escalation overall but pay attention to specific crime.

Possibilities of crime in this economic meltdown
The biggest threat on the ground would be the logistics. Gangs of people hijacking and theft of tankers carrying petrol, food and for that matter anything. These are soft targets on wheels carrying high value goods already without effective security systems. Any interruption in the logistic chain could cause chaos.

Each location and field of interest more than likely experience bribery and corruption of any kind for jobs. Consider expanding your crime research for such when considering the vulnerability landscape because this crime could lead to major reputational damage that obviously effects revenues.

Tony Botes of SASA |South African Security Association says, ’when a country has major job losses then desperate people can do anything. It is vital to protect the entire logistic chain from warehouses stocking all goods, the vehicles as well as the route because empty burnt trucks could shut the road for days causing high anxiety for the population.’

Profit Protect Clients and Security Companies
Clients should avoid reputational damage and lawsuits by using unlicensed security practitioners.
• When using an unlicensed security company then consider that there is no oversight and governance besides their staff being vetted. This could lead to organized or gang crime using the assets of the business for their needs or the staff adding to the loss of profits in some way or the other.

Avoid reputational damage by using professional companies
• When security companies cut rates to clients by cutting costs then they may not be training their staff properly or managing the site professionally. People carry phones that can record bad behaviour and social media could destroy reputations which could be costly.

False Alarms: Attending to false alarms costs money. AI (artificial intelligence) saves the client money because the technology is able to read and distinguish between a false and positive alarm.

Also, AI can
• notify appropriate people to respond thus not wasting money on irrelevant people that also cost money in transportation besides for their time.
• some perpetrators could be stopped before the crime is fully realized or caught quickly saving money and anxiety.
• reducing the percentage of budget for loss prevention
• AI could identify an individual perpetrator or mob formation and could activate counter measures to reduce the collateral damage and related costs.
• Using AI provides the opportunity to increase the number of security investigators that are focused on looking for crime or handling aggressive and violent behaviour and stopping it.
Avoid chaos: There are some sites that could experience specific issues because of the desperation of people. There are sites that could have a high probability of issues related that could demand for strategic security. Chaos can be expensive when the collateral damage is related to staff being hospitalized, assets destroyed or stolen besides the time needed to repair all besides the loss of revenue.
• The professional security company would ensure that the workforce at the entrance control is layered by specific skillsets to reduce the probability of aggressive and violent behaviour.
The economic meltdown can deliver a larger number of criminals and a wide scope of criminal methods on the stage and into the spotlight. This calls for heightened security measures. Criminals may attempt to penetrate buildings for nefarious reasons such as home invasions, burglary, rape, murder or kidnapping. It is costly dearly to emotionally repair people or replace assets.
• AI can assist using applications such as allowing entry to only recognized approved people on their own or escorting others. Obviously. all entry and exit points need to be covered.
• Stop tailgating entry by opportunistic perpetrators

Protect specific assets: The theft of company secrets could tremendously cost a company with loss of market share (money) without them knowing so.

Juan Kirsten of ISIO | International Security Industry Organization remarks that ‘’the security industry has had years of experience in using all types of security technology for example cctv and alarm systems. It is coincidental that AI has matured to the degree that it must be considered as vital tools to use for this threat on the ground. The vulnerability landscape can change speedily and dramatically that calls for devices such as drones, IoT, or software that can improve comprehending the situation and reacting accordingly and timeously’’

Tackling Security Challenges in 5G Networks

The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.

Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.

The report released today supports national authorities with the implementation of the 5G toolbox, and in particular the recommendation for EU Member States to ensure that Mobile Network Operators follow security good practices for NFV. It explores the relevant challenges, vulnerabilities and attacks pertaining to NFV within the 5G network. It analyses the relevant security controls and recommends best practices to address these challenges and solutions, taking into account the particularities of this highly complex, heterogeneous and volatile environment.

How does it work?

Traditionally, mobile network functions have been implemented using dedicated hardware and networking equipment, built especially for telecom operators and their networks. Network Function Virtualisation is a new technology used in 5G networks to implement networking functions using software, therefore running virtually on top of standard server hardware or standard cloud platforms.

Applying network function virtualisation will therefore reduce the number of operations and maintenance costs.

60 security challenges were identified in the report and classified under 7 categories:

- Virtualisation or containerisation;
- Orchestration and management;
- Administration and access control;
- New and legacy technologies;
- Adoption of open source or COTS;
- Supply chain;
- Lawful interception (LI).

How do we address the security challenges

The report explores vulnerabilities, attack scenarios and their impact on the 5G NFV assets. The work includes a total of 55 best practices classified under Technical, Policy and Organisational categories.

Some of the key findings the report include:

- Resource virtualisation:
The virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software. If the virtualisation layer is breached, all network functions come under direct attack with disastrous consequences.

- Resource sharing:
A single physical server may run several different tenants' virtual resources (e.g. virtual machines (VMs) or containers), and a single tenant's virtual resource might be distributed across several physical servers. Multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks, data residue and attacks.

- Use of open source:
There will be increasing use of open-source software. This introduces a new set of security challenges in terms of keeping a consistent and coherent approach to security-by-design and prevention of deliberate security flaws.

- Multi-vendor environment:
In such environment, it remains difficult to coordinate security policies and determine responsibility for security problems and more effective network security monitoring capabilities are required.

NFV is an important technology in 5G and its security is critical for the overall security of the 5G networks, especially because 5G networks are underpinning critical infrastructures.

Building cyber secure Railway Infrastructure

The European Union Agency for Cybersecurity (ENISA) delivers a joint report with the European Rail Information Sharing and Analysis Center (ISAC) to support the sectorial implementation of the NIS Directive.

The report released is designed to give guidance on building cybersecurity zones and conduits for a railway system.

The approach taken is based on the recently published CENELEC Technical Specification 50701 and is complemented with a guidance to help railway operators with the practical implementation of the zoning process.

The work gathers the experience of the European Rail ISAC and of their members such as European infrastructure managers and railway undertakings, which are Operators of Essential Services (OES) as defined in the Security of Network and Information Systems (NIS) directive and is designed to help them implement the cybersecurity measures needed in the zoning and conduits processes.

A number of requirements are set, such as:

- Identification of all assets and of basic process demands;
- Identification of global corporate risks;
- Performing zoning;
- Checking threats.

A risk assessment process is developed based on standards for the identification of assets and the system considered, and for the partitioning of zones and conduits. The report also addresses the cybersecurity requirements in terms of documentation and suggests a step-by-step approach to follow.

The report is released on the occasion of the General Assembly meeting of the European Rail ISAC which is taking place today.

The EU Agency for Cybersecurity engages closely with the European Rail Agency (ERA) to support the railway sector and is to host a joint event with ERA later this year.

CREWS commits additional funding to strengthen Early Warning Systems in the Caribbean

Different and multiple hazards, such as severe weather conditions in land and at sea, droughts, hurricanes, floods, and earthquakes, pose a serious threat to the Caribbean, which is one of the most disaster-prone regions in the world. Combined, geological and hydro-meteorological hazards have affected more than 100 million people in the region, causing significant economic losses and casualties.

The development of Early Warning Systems has been identified by the Sendai Framework for Disaster Risk Reduction 2015–2030, the 2030 Agenda for Sustainable Development, and the Paris Agreement as a key pathway to prevent disasters and reduce the negative impacts of multiple hazards.

As defined by the UNDRR, Multi-hazard Early Warning Systems are "an integrated system of hazard monitoring, forecasting and prediction, disaster risk assessment, communication and preparedness activities systems and processes that enables individuals, communities, governments, businesses and others to take timely action to reduce disaster risks in advance of hazardous events".

The Climate Risk and Early Warning Systems Initiative (CREWS) is a mechanism that provides financial support to Least Developed Countries (LDCs) and Small Island Developing States (SIDS) to establish risk-informed early warning services, implemented by three partners, based on clear operational procedures. CREWS has recently donated an additional $1 million to support the project Strengthening Hydro-Meteorological and Early Warning Services in the Caribbean , which will be implemented by UNDRR in 2022.

The project aims to strengthen Early Warning Services (EWS) in the Caribbean and to articulate the response capacity of individuals, institutions, and communities through the development of a regional strategy to strengthen and streamline early warning and hydro-meteorological services. This includes developing appropriate approaches to risk-informed decision-making for EWS, identifying gaps in risk assessment at regional and national levels, and evaluating the resilience of already existing infrastructure such as forecasting centres, shelters, and National Meteorological and Hydrological Services. The project will also examine opportunities for building partnerships with the private sector and assess socio-economic benefits to ensure the sustainability of investments and activities.

This project aligns with the Sendai Framework and focuses on the implementation of target G, which aims to “substantially increase the availability of and access to multi-hazard early warning systems and disaster risk information and assessments to people by 2030”. The Sendai 7 campaign of the 2022 International Day for Disaster Risk Reduction will be focusing on this same target. Ensuring access to Multi -hazard Early Warning Systems in the Caribbean is regarded as a tool that enables individuals, communities, governments, businesses, and other stakeholders to take timely action to reduce disaster risk in advance of hazardous events.

This is also a matter of urgency, as disclosed in the Regional Assessment Report on Disaster Risk in Latin America and the Caribbean (RAR21), published last year: “In the short and medium term the occurrence of new mega-disasters in the region is almost inevitable given the extreme risk embedded there. It is therefore urgent to strengthen corrective and reactive management capabilities, especially early warning systems, preparedness and response.”

Fourth radio interface technology added to 5G standards

Members of the International Telecommunication Union (ITU) today approved a fourth technology as part of ongoing standards development for 5G mobile services.

Known as “DECT 5G-SRIT", the new technology supports a range of uses, from wireless telephony and audio streaming to industrial Internet of Things (IoT) applications, particularly in smart cities.

It was added in the first revision to ITU's key recommendation IMT-2020, which broadly encompasses fifth-generation, or 5G, networks, services, and devices.

This ITU Radiocommunication Sector (ITU-R) Recommendation – providing a set of global technical 5G standards – reflects continual consultation and discussion among governments, companies, regulators, and other stakeholders dealing with radiocommunication worldwide.

Along with fostering connectivity across borders, ITU promotes the global rollout of 5G as a key driver to achieve the UN's 17 Sustainable Development Goals.​

“New and emerging technologies like 5G will be essential to build an inclusive, sustainable future for all people, communities and countries," said ITU's Secretary-General, Houlin Zhao. “Under the ongoing International Mobile Telecommunications or IMT programme, our diverse global membership continues its long-standing contribution to advance broadband mobile communications, furthering our mission to leave no one behind in connecting the world."

A new radio interface technology

ITU – the United Nations agency entrusted with coordinating radio-frequency spectrum worldwide - published the specifications for the new technology as Recommendation ITU-R M.2150-1.

The technology is designed to provide a slim but strong technical foundation for wireless applications deployed in a range of use cases, from cordless telephony to audio streaming, and from professional audio applications to the industrial Internet of Things (IoT) applications, such as building automation and monitoring.

The European Telecommunications Standards Institute (ETSI) laid the essential groundwork jointly with the DECT Forum, a worldwide association of the digital enhanced cordless telecommunications (DECT) or wireless technology industry.

NCSC advises organisations to act following Russia’s attack on Ukraine

Following Russia’s unprovoked, premeditated attack on Ukraine, the National Cyber Security Centre continues to call upon on organisations in the UK, and beyond, to bolster their online defences.

The NCSC – which is a part of GCHQ – has urged organisations to follow its guidance on steps to take when the cyber threat is heightened.

While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences.

The guidance encourages organisations to follow actionable steps that reduce the risk of falling victim to an attack.

For the NCSC Guidance visit https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened

Information Technologies for Managing Federal Use

Radio-frequency spectrum is a scarce natural resource vital to many commercial and government activities, including weather observation, air traffic control, and national defense. NTIA and government agencies have a responsibility to manage their spectrum use wisely. To do so, agencies rely on different spectrum-related IT, but NTIA has recently highlighted that existing IT is out-of-date and hinders spectrum management.

Federal officials said modernization of spectrum-related federal IT could provide benefits such as greater sharing of the limited spectrum and improved efficiency. For example, the current process for assigning spectrum relies on manual reviews of frequency requests and manual input of data. Automation could reduce errors and speed the process.

The FY21 NDAA contains a provision for GAO to review the current spectrum-related IT of covered agencies. This report describes (1) the existing spectrum-related IT that covered agencies employ to manage their spectrum use, and (2) the opportunities covered agencies and NTIA identified for improving spectrum management through IT modernization. The FY21 NDAA also contains a provision for GAO to conduct oversight of the implementation of agencies' spectrum-related IT modernization plans. This topic will be the subject of future GAO work.

Federal agencies use a variety of information technologies (IT) to manage their use of radio-frequency spectrum. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA) required the National Telecommunications and Information Administration (NTIA) and covered agencies to develop plans to modernize their spectrum-related IT (i.e., the software, databases, and other tools that comprise their spectrum infrastructure).

Currently, the NTIA provides agencies with some spectrum-related IT systems, such as software, databases, and engineering tools, so that they can participate in NTIA's spectrum management processes. These processes include assigning frequencies for agencies to use and certifying spectrum-dependent equipment. GAO found that all 20 agencies covered by the FY21 NDAA modernization requirement rely at least in part on NTIA-provided IT to manage their spectrum use. Additionally, most of these agencies—DOD and the Federal Aviation Administration, in particular—augment NTIA-provided IT with additional spectrum-related IT that meets their unique mission needs.

Many of the officials GAO interviewed broadly agreed that modernizing spectrum-related IT could provide opportunities to improve spectrum management, mostly related to the following: (1) improving current spectrum management processes by addressing some limitations in existing spectrum-related IT and (2) facilitating the potential for greater spectrum sharing (i.e., enabling more than one spectrum user to use the same frequency band without interfering with each another). As NTIA and the covered agencies advance their modernization efforts in 2022, it is not yet clear if their plans will target these opportunities.

 

CISA and FBI Publish Advisory to Protect Organizations from Destructive Malware Used in Ukraine

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory today providing an overview of destructive malware that has been used to target organizations in Ukraine as well as guidance on how organizations can detect and protect their networks. The joint Advisory, “Destructive Malware Targeting Organizations in Ukraine,” provides information on WhisperGate and HermeticWiper malware, both used to target organizations in Ukraine.

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. While there is no specific, credible threat to the United States at this time, all organizations should assess and bolster their cybersecurity. Some immediate actions that can be taken to strengthen cyber posture include:

- Enable multifactor authentication;
- Set antivirus and antimalware programs to conduct regular scans;
- Enable strong spam filters to prevent phishing emails from reaching end users;
- Update software; and
- Filter network traffic.

“In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the U.S.,” said CISA Director Jen Easterly. “Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk.”

"The FBI alongside our federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector," said FBI Cyber Division Assistant Director Bryan Vorndran. "We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident."

Executives and leaders are encouraged to review the advisory, assess their environment for atypical channels for malware delivery and/or propagation through their systems, implement common strategies, and ensure appropriate contingency planning and preparation in the event of a cyberattack.

CISA has updated the Shields Up webpage to include new services and resources, recommendations for corporate leaders and chief executive officers, and actions to protect critical assets. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.

1 2 3 34