Category: Industry News

One of CISA’s most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange machine-readable cyber threat information. We know that the only constant in cybersecurity is change, and we’re evolving our information sharing approaches to maximize value to our partners and keep pace with a changing threat environment.

How Did We Get Here?

Every day, CISA evaluates the cyber threat environment, considers the impact of known vulnerabilities, and assesses the defensive posture of entities across our Nation to determine how we can most effectively safeguard critical infrastructure and government networks. Our insight is derived from a variety of sources to include classified and open-source reporting; operational collaboration with government and industry partners; findings from CISA assessments and incident response; and from information shared by members of our broad cybersecurity community through mechanisms such as AIS.

CISA then translates these insights into timely and relevant information. We share information broadly on a global scale, through alerts, advisories, and our Known Exploited Vulnerabilities catalog. We enrich our shared services and cyber capabilities with cyber threat information (CTI). And we leverage these insights to design and prioritize new cyber capabilities for programs such as Continuous Diagnostics and Mitigation (CDM). Across the board, CISA incorporates our unique insights of the global cyber threat environment into everything we offer to provide value to our partners.

While these threat-informed products and capabilities are important to many of our stakeholders, we know that organizations also benefit from receiving cyber threat information to shape investment decisions and prioritize mitigation actions. It is not enough to monitor broad cyber threats generally; organizations must apply threat information to their own risk and technology environments. AIS was established to satisfy legislative requirements and to provide stakeholder communities with a cost-effective means by which to exchange cyber threat indicators and defensive measures with CISA and, in doing so, with thousands of cybersecurity practitioners across the country and with partners across the globe. When it was first established, AIS was a novel model that helped many organizations around the world. But now, it’s time for a change.

Where Are We Going?

As the cyber threat environment evolves, so must our capabilities to analyze and share cyber threat information. When AIS was first designed, the U.S. Government was focused on filling an identified gap in cyber threat intelligence for many organizations and ensuring strong privacy controls. In the early days of AIS, the priority was speed. A decade later, the cybersecurity industry has matured substantially; current products and services are addressing information requirements for most organizations and, in an era of information overload, practitioners still require speed but value context, precision, and tailored insights over volume and velocity alone.

In 2024, CISA will begin a strategic effort to modernize our approach to enterprise cyber threat information sharing. This effort will drive three key areas of progress:

- Simplification: We will refocus and consolidate our customer-facing cyber threat intelligence offerings under a new initiative called Threat Intelligence Enterprise Services (TIES). The TIES Exchange Platform will unify our information sharing capabilities under a single banner for federal agencies and certain user communities, enabling streamlined provision of cyber threat information from our partners and commercial sources. This will offer a common view which will facilitate communications and enable threat-specific engagement. As we design and implement this central solution, CISA is working in parallel to modernize our AIS capability which, in the future, will further complement CISA-curated threat feeds made available by this shared service platform.

- Partner-Centered Design: Throughout this process, we will be driven by the requirements of our partners, including federal agencies, critical infrastructure organizations, and state, local, tribal, territorial governments, to ensure that we are adding value rather than duplicating capabilities. We will continuously seek feedback and ensure that the platform itself is built around human-centered design principles to enable ease-of-use even for under-resourced organizations.

- Learning from Experience: We will rigorously learn from known challenges with the legacy AIS system: we know that it must be easy to both share and receive, that shared information must have sufficient context to enable prioritized action; and that every participant must recognize meaningful value that is additive to existing cybersecurity capabilities. At the same time, we will build upon the successes of the AIS program, including a rigorous focus on privacy and confidentiality by design.

What to Expect Next?

CISA's goal is to facilitate collective, automated cyber defense through increased sharing and context, shaped by an acute understanding of the threat environment. While CISA implements this transition over the next two years, the AIS program will remain available, and we encourage users to continue leveraging this capability and actively share indicators back with CISA.

The shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage. And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation. We look forward to sharing more details about TIES and our cyber threat exchange modernization initiatives throughout the year.

Europol, law enforcement authorities from 17 countries and the European Union Agency for Cybersecurity (ENISA) have joined forces with the private sector partners, including Group-IB and Sansec, to fight digital skimming attacks.

With the support of national Computer Security Incident Response Teams (CSIRT), the two-month action has enabled Europol and its partners to notify 443 online merchants that their customers’ credit card or payment card data had been compromised. This action, led by Greece, falls under the EMPACT priority, which targets the criminals behind online fraud schemes.

Digital skimming is the act of stealing credit card information or payment card data from customers of an online store. Criminals use sophisticated information technology to intercept data during the online checkout process, without customers or online merchants noticing anything unusual.
Data theft often goes unnoticed

Digital skimming attacks can go undetected for a long time. Payment or credit card information stolen as a result of these criminal acts is often offered for sale on illicit marketplaces on the darknet. Customers are usually not aware that their payment details have been compromised until the criminals have already used them to carry out an unauthorised transaction. Generally, it is difficult for customers to find the point of compromise.

Europol is participating in the digital skimming action with the aim of informing affected e-commerce platforms and other online merchants that they have been unintentional points of compromise for such stolen payment data. Europol, national law enforcement authorities, national Computer Security Incident Response Teams and trusted private industry partners identify affected online merchants and provide technical support to these platforms to resolve the issues and protect future customers.

The NCCoE has invited technology providers and industry experts from Amazon Web Services, Cisco, Dragos, Garland Technology, Inductive Automation, Qcor, Rockwell, Siemens, TDI Technologies, and Tenable to collaborate on the Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project.

These collaborators will work with the NCCoE project team to demonstrate a practical solution to assist organizations in detecting, responding, and recovering from a cyber incident within an operational technology environment.

The result will be a freely available NIST Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.

Each of these organizations responded to a notice in the Federal Register to submit capabilities that aligned with desired solution characteristics for the project. The accepted collaborators were extended a Cooperative Research and Development Agreement, enabling them to participate in a consortium in which they will contribute expertise and hardware or software to help refine a reference design and build example standards-based solutions.

The latest SIRIUS publication outlines the experiences of EU authorities in retrieving electronic data held by foreign-based service providers, as well as their experiences in delivering data for the purpose of criminal investigations over the past year.

The report highlights a new frontier in electronic evidence

The EU Electronic Evidence legislative package, adopted in July 2023, marks a new era in obtaining electronic evidence, as it will enable competent authorities to issue legally binding orders directly to service providers offering services within the EU, regardless of their place of establishment. This move will help address issues regarding lengthy judicial procedures to obtain data across borders, as well as legal uncertainties surrounding practices of voluntary cooperation between competent authorities and service providers.

Furthermore, other new legal instruments, such as the Second Additional Protocol to the Budapest Convention on Cybercrime will introduce novel legal bases for direct cooperation between competent authorities and private entities. The EU Digital Services Act, which introduces standardised minimum requirements for orders to provide information under EU Member States’ national laws, also provides further tools and clarity for authorities in need of obtaining data across borders.

However, challenges persist. The report highlights the need for comprehensive preparation among all stakeholders. From law enforcement's perspective, social media platforms, messaging apps, and cryptocurrency exchanges are pivotal in investigations. While formal training on electronic evidence has been provided to officers, gaps in familiarity with the new legislation remain, emphasising the need for extensive training programs.

Judicial authorities face time-consuming hurdles when accessing data from foreign service providers, urging the need for enhanced legal powers and EU-wide legislative efforts to regulate data retention for the purposes of criminal investigations and proceedings. Service providers, on the other hand, grapple with authenticating requests and resource allocation, emphasising the benefits of centralisation of requests.

A strategic roadmap to navigate this new frontier in electronic evidence

Amidst the challenges posed by advancing technology and the expanding electronic landscape, the report provides recommendations for law enforcement and judicial authorities, as well as service providers, which serve as a strategic roadmap.

By strengthening capacity and mutual trust, law enforcement and judicial authorities can successfully navigate the complexities of electronic evidence. Collaborative efforts and shared solutions will pave the way for a more secure digital environment in the EU, as well as effective and efficient prosecutions. To prepare law enforcement and judicial authorities as well as service providers to successfully pioneer this new frontier of electronic evidence, it is imperative to raise awareness and provide training on those novel legal instruments so significant to this project.

The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness.

Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023.

ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those areas and activities that will have high and measurable added value in achieving the Agency’s strategic objectives. CISA is a key partner to ENISA in achieving these objectives and by extension the EU in achieving a higher common level of cybersecurity. The Working Arrangement is both a consolidation of present areas of cooperation, as well as opening the door to new ones. Current examples are the organisation and promotion of the International Cybersecurity Challenge (ICC), exchanging best practices in the area of incident reporting or ad hoc information exchanges on basic cyber threats.

High Representative of the European Union for Foreign Affairs and Security Policy / Vice-President of the European Commission, Josep Borrell said: “Cyber threats have no borders. This is why international cooperation with our partners is a must. The working arrangement between ENISA and CISA is an important deliverable from the EU-US Cyber Dialogue. It will enable us to effectively combat the escalating cybersecurity threats we confront. By fostering deeper cooperation, we can facilitate information sharing, develop collaborative strategies, and bolster our collective resilience against cyberattacks.”

European Commissioner for Industry, Defence and Technology, Thierry Breton said: “Today’s challenging geopolitical context also manifests in intensified threats facing us in the cyberspace. It is essential that the EU and the United States work hand in hand to advance a secure cyberspace, including through protecting critical infrastructures and improving the security of digital products.”

Signing partners:

CISA leads the United States’ effort to understand, manage, and reduce risk to cyber and physical infrastructure. “In today’s highly complex and borderless cyber threat landscape, collaboration remains key to everything we do,” said CISA Director Jen Easterly. “CISA’s Working Arrangement with ENISA signifies a new chapter in our collective resilience. Together we will enhance cybersecurity awareness, fortify capacity building initiatives, and foster a robust environment for knowledge sharing and best practice exchanges, ensuring a safer digital landscape for our citizens.”

European Union Agency for Cybersecurity (ENISA), Executive Director, Juhan Lepassaar, said: “This new Working Arrangement is an evolution and consolidation of the effective cooperation with our US counterpart. The structured collaboration will address some of our common challenges in the cyber threat landscape.”

This arrangement is broad in nature and covers both short-term structured cooperation actions, as well as paving the way for longer-term cooperation in cybersecurity policies and implementation approaches. Cooperation will be sought in the areas of:

- Cyber Awareness & Capacity Building to enhance cyber resilience: including facilitating the participation as third country representatives in specific EU-wide cybersecurity exercises or trainings and the sharing and promotion of cyber awareness tools and programmes.

- Best practice exchange in the implementation of cyber legislation; including on key cyber legislation implementation such as the NIS Directive, incident reporting, vulnerabilities management and the approach to sectors such as telecommunications and energy.

- Knowledge and information sharing to increase common situational awareness: including a more systematic sharing of knowledge and information in relation to the cybersecurity threat landscape to increase the common situational awareness to the stakeholders and communities and in full respect of data protection requirements.

A work plan will operationalise the Working Arrangement and regular reporting at the EU-US Cyber Dialogues is foreseen.

Cybersecurity vulnerabilities that threaten medical devices aren't commonly exploited but still pose risks to hospital networks—and patients, according to a federal study.

The Food and Drug Administration has primary responsibility for medical device cybersecurity. FDA formally collaborates with the Cybersecurity and Infrastructure Security Agency on security guidance for device manufacturers, public alerts about current vulnerabilities, and more.

However, the agencies' formal agreement is 5 years old. We recommended updating the agreement to improve agency coordination and clarify roles.

Medical devices, such as heart monitors, connected to a hospital network may be vulnerable to cyber threats.

According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits. Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.

Non-federal entities representing health care providers, patients, and other relevant parties identified challenges in accessing federal support to address cybersecurity vulnerabilities. Entities described challenges with (1) a lack of awareness of resources or contacts and (2) difficulties understanding vulnerability communications from the federal government. Agencies are taking steps that, if implemented effectively, can meet these challenges.

Key agencies are also managing medical device cybersecurity through active coordination. Specifically, the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) developed an agreement addressing most leading practices for collaboration. However, this 5-year-old agreement did not address all such practices and needs to be updated to reflect organizational and procedural changes that have occurred since 2018.

FDA authority over medical device cybersecurity has recently increased. Specifically, December 2022 legislation requires medical device manufacturers to submit to FDA, among other things, their plans to monitor, identify, and address cybersecurity vulnerabilities for any new medical device that is to be introduced to consumers starting in March 2023. This legislation is limited to new devices and does not retroactively apply to those devices introduced prior to March 2023, unless the manufacturer is submitting a new marketing application for changes to the device.

FDA officials are implementing new cybersecurity authorities and have not yet identified the need for any additional authority. They can take measures to help ensure device cybersecurity under existing authorities such as monitoring health sector and CISA alerts, as well as directing manufacturers to communicate vulnerabilities to user communities and to remediate the vulnerabilities.

According to FDA guidance, if manufacturers do not remediate vulnerabilities, FDA may find the device to be in violation of federal law and subject to enforcement actions.

Cyber threats that target medical devices could delay critical patient care, reveal sensitive patient data, shut down health care operations, and necessitate costly recovery efforts. FDA is responsible for ensuring that medical devices sold in the U.S. provide reasonable assurance of safety and effectiveness.

The Consolidated Appropriations Act, 2023, includes a provision for GAO to review cybersecurity in medical devices. This report addresses the extent to which (1) relevant non-federal entities are facing challenges in accessing federal support on medical device cybersecurity, (2) federal agencies have addressed identified challenges, (3) key agencies are coordinating on medical device cybersecurity, and (4) limitations exist in agencies' authority over medical device cybersecurity.

GAO identified federal agencies with roles in medical device cybersecurity. It also selected 25 non-federal entities representing health care providers, patients, and medical device manufacturers. GAO interviewed these entities on challenges in accessing federal cybersecurity support. In addition, GAO assessed agency documentation and compared coordination efforts against leading collaboration practices; reviewed relevant legislation and guidance; and interviewed agency officials.

GAO is making recommendations to FDA and CISA to update their agreement to reflect organizational and procedural changes that have occurred. Both agencies concurred with the recommendations.

As part of the Secure by Design campaign, CISA has published The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously in collaboration with the following partners:

• United States National Security Agency
• United States Federal Bureau of Investigation
• Australian Signals Directorate’s Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• United Kingdom National Cyber Security Centre
• New Zealand National Cyber Security Centre
• Computer Emergency Response Team New Zealand

Malicious cyber actors routinely exploit memory safety vulnerabilities, which are common coding errors and the most prevalent type of disclosed software vulnerability. Preventing and responding to these vulnerabilities cost both software manufacturers and their customer organizations significant time and resources.

The Case for Memory Safe Roadmaps details how software manufacturers can transition to memory safe programming languages (MSLs) to eliminate memory safety vulnerabilities. The guidance provides manufacturers steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products—key Secure by Design tenets.

CISA and our partners urge C-suite and technical experts at software manufacturers to read this guidance and implement memory safe roadmaps to eliminate memory safety vulnerabilities from their product.