Testing the Resilience of the European Healthcare Sector

Agency News, Health & Social Care

To ensure citizens’ trust in the medical services and infrastructure available to them, health services should function at all times. If health services and infrastructures in Europe were the object of a major cyber attack, how would we respond and coordinate at both national and EU level to mitigate the incidents and prevent an escalation?

This is the question Cyber Europe 2022 sought to answer using a fictitious scenario. Day one featured a disinformation campaign of manipulated laboratory results and a cyber attack targeting European hospital networks. On day two, the scenario escalated into an EU-wide cyber crisis with the imminent threat of personal medical data being released and another campaign designed to discredit a medical implantable device with a claim on vulnerability.

The Executive Director of the EU Agency for Cybersecurity, Juhan Lepassaar, said: “The complexity of our challenges is now proportionate to the complexity of our connected world. This is why I strongly believe we need to gather all the intelligence we have in the EU to share our expertise and knowledge. Strengthening our cybersecurity resilience is the only way forward if we want to protect our health services and infrastructures and ultimately the health of all EU citizens.”

The pan-European exercise organised by ENISA rallied a total of 29 countries from both the European Union and the European Free Trade Association (EFTA), as well as the EU agencies and institutions, including ENISA, the European Commission, the CERT of EU Institutions, bodies and agencies (CERT-EU), Europol and the European Medicine Agency (EMA). More than 800 cybersecurity experts were in action to monitor the availability and integrity of the systems over the two days of this latest edition of Cyber Europe.

Can we strengthen the cyber resilience of the EU healthcare?

The participants who engaged in the complex exercise were satisfied with the way the incidents were dealt with and the response to fictitious attacks.

Now, the analysis of the process and of the outcomes of the different aspects of the exercises need to be performed in order to get a realistic understanding of potential gaps or weaknesses which may require mitigation measures. Dealing with such attacks requires different levels of competences and processes which include efficient and coordinated information exchange, the sharing of knowledge around specific incidents and how to monitor a situation which is about to escalate in case of a generalised attack. The role of the EU level CSIRTs network and the draft standard operation processes (SOPs) of the CyCLONe group also need to be looked into.

The deeper analysis will be published in the after-action report. The findings will serve as a basis for future guidance and further enhancements to reinforce the resilience of the healthcare sector against cyber attacks in the EU.

Leave a comment , , , ,

Experts Assess Implementation of International Conventions on Nuclear Emergency Response

Agency News, Industry News, Power/Energy/Oil & Gas sector

 

Countries need to work closely together in the event of a nuclear emergency, so sharing experience and improving emergency preparedness are key tasks stemming from the IAEA’s mandate. Those responsible for emergency preparedness at the national level – officially referred to as Competent Authorities – met in Vienna last week at the 11th Meeting of the Representatives of Competent Authorities identified under the Early Notification Convention and the Assistance Convention, and discussed ways to ensure that the necessary expertise, services and equipment are available promptly upon request by any government in the event of a nuclear or radiological emergency.

In his remarks, IAEA Director General Rafael Mariano Grossi referred to the role of the two conventions in relation to nuclear facilities in Ukraine. “Everything we have done to assist Ukraine in maintaining nuclear safety, security and an adequate level of safeguards; everything we have done to inform the wider world of the situation during this first military conflict fought in the direct proximity of a major nuclear power programme, we have done through the framework that many of you have built and improved in the years leading up to today…this framework is being tested like never before,” he said.

A strong and integrated international framework for notification and assistance in the event of a nuclear emergency is essential to protect people and the environment from the harmful effects of ionizing radiation, said the meeting’s Chair, Faizan Mansoor, Head of the Pakistan Nuclear Regulatory Authority. “This meeting is essential, since it gathers the world’s experts in nuclear emergency preparedness and response to determine if our arrangements remain effective when emergencies occur under increasingly complex conditions,” he said.

Competent Authorities are the entities designated by their governments to carry out specific duties with respect to issuing and receiving information relating to nuclear and radiological emergencies under these conventions. They meet every two years to evaluate and strengthen the implementation of the Early Notification Convention and the Assistance Convention. Both conventions were concluded in 1986, in the immediate aftermath of the accident at the Chornobyl Nuclear Power Plant, and establish the international framework for the exchange of information and the prompt provision of assistance in the event of a nuclear or radiological emergency, with the aim of minimising the consequences.

“Radiation does not recognize borders, and countries need to work together swiftly to prevent people from coming to harm in the wake of a transboundary radioactive release,” said Carlos Torres Vidal, Director of the IAEA’s Incident and Emergency Centre.
Preparing to Respond to a Rare Event

The IAEA has created a number of platforms and mechanisms, such as the Unified System for Information Exchange in Incidents and Emergencies (USIE), the International Radiation Monitoring Information System (IRMIS) and the Assessment and Prognosis Tools and the Response and Assistance Network to help countries work with each other, and with the IAEA and other international organizations, during a response. For example, USIE is a secure platform for information sharing that allows countries to fulfil their obligations under the Early Notification Convention; the same function is performed for the Assistance Convention by the Response and Assistance Network, or RANET, which allows countries to offer, and receive, assistance and expertise; and IRMIS collects and maps large quantities of environmental radiation monitoring data during nuclear or radiological emergencies.

The IAEA supports countries in setting up robust preparedness mechanisms, through the development of safety guides and publications, and the provision of trainings and other capacity-building initiatives.

Although most people associate nuclear emergencies with accidents at nuclear power plants, such as those at Chornobyl (1986) and Fukushima Daiichi (2011), such events are in fact very rare. At the same time, the Response and Assistance Network has been mobilized several times in the past decade to respond to countries dealing with the consequences of far more common radiological emergencies, such as workers becoming accidentally exposed to hazardous levels of radiation from contact with radiation sources used in industry or medicine.

“These past two years have demonstrated that emergencies come in diverse forms such as earthquakes, floods and fires, and that we need to pay more attention than ever before to our motto: Prepare. Respond. Improve,” said Lydie Evrard, Deputy Director General and Head of the Department of Nuclear Safety and Security.

Leave a comment , , , ,

New open-source software that decrypts social media messages to help manage risks and disasters

Agency News, Cyber Security CII sector, Industry News

The European Commission’s new algorithm developed by the Joint Research Centre (JRC) can segment social media messages to identify, verify and help manage disaster events -such as floods, fires or earthquakes- in real-time.

Suppose you are an emergency responder and you see a social media post showing an unusable road in a place not covered by traditional news. Suppose you see a similar message from several accounts. Wouldn’t you wonder if they were referring to the same event or whether that area was worth a more detailed analysis with a satellite image?

It was with this in mind that scientists from the JRC helped deal with the 2021 Haiti Earthquake by using social media data analysis to complement the assessment of impacts in the immediate aftermath of the earthquake.

This experience was the first real case usage of a software platform that can scan millions of social media texts and images per day for situational awareness and impact assessment. This information is collected, filtered and geocoded automatically and in real-time using machine learning (artificial intelligence) models.
A software that helps responders with flood risk management

The first goal of this platform was to provide an additional geospatial layer in the European Flood Awareness System (EFASSearch for available translations of the preceding linkEN•••) and the Global Flood Awareness System (GloFAS). These two online systems offer flood forecasts based on model simulations which are crucial to the Copernicus Emergency Management Services Managed by JRC.

The monitoring ability of these early warning systems is mostly anchored in satellite images and numerical models.The integration of this new social media for disaster risk management (SMDRM) software will allow them to assess the likelihood and impacts of a flood event with even greater accuracy.
An open-source tool available to all researchers and technicians

The new layer for EFASSearch for available translations of the preceding linkEN••• and GloFAS is the first product developed using the SMDRM software. Nonetheless, since the software has been released as open-source -free and open to all technicians linked to crisis response who want to leverage it- the scientists expect it to have a wider use and they remain available for collaboration.

The SMDRM software can be adapted for different scales and label relevant images for floods, storms, earthquakes and fires, resulting in valuable information for reports or descriptions of the situation on the ground or in the vicinity.

Technicians or researchers working on map development can use the code to find more data to improve or confirm their findings and complement information extracted from traditional sensors or earth observation sources.
Software that connects citizens to disaster risk management

The SMDRM software data help confirm whether an event is happening and where exactly the most affected locations are.

It is a clear example of how social media and active citizenship can contribute to disaster risk management as it help crisis responders improve their situational awareness in the immediate aftermath of an event.

Leave a comment , , ,

Submarine telecom cables enhance climate monitoring and tsunami forecasts

Industry News

Over 1.3 million kilometres of submarine telecommunications cables now span the world’s oceans. As the network grows and old cables are replaced, the next generation of cables could form a real‑time ocean observation network able to provide accurate early warnings of tsunamis and a wealth of valuable data for climate science.

A standard SMART cable, meaning a telecom cable upgraded for “Scientific Monitoring And Reliable Telecommunications”, will include climate and hazard‑monitoring sensors designed to co‑exist with telecom components and to last for the same 25‑year lifespan as any commercial cable.

Climate scientists hope for the resulting ocean‑observation network to grow sustainably alongside commercial network deployments. The SMART cable will combine scientific sensing and telecoms into the same,shared submarine cable, never compromising reliable telecoms.

Two new standards now under development at the International Telecommunication Union (ITU) will support this aim, providing for both SMART cables and cables dedicated exclusively to scientific sensing. This standards effort builds on minimum requirements established by the Joint Task Force on SMART Cable Systems, formed in 2012 with the support
of ITU, the UNESCO‑Intergovernmental Oceanographic Commission (UNESCO‑IOC) and the World Meteorological Organization (WMO).

“We aim to reach a point where cable system suppliers are offering all their customers the option of standardized SMART capability,” says task force chair Bruce M. Howe, a University of Hawaii research professor.

At Station ALOHA 100 kilometres north of Oahu, Howe installed and now operates a cabled scientific observatory at a depth of 4728 metres, making it the world’s deepest of its kind.

The Joint Task Force has helped develop the technical and financial feasibility of SMART cables. It now works closely with United Nations organizations, governments, and businesses intent on deploying SMART cables at scale.
A Portuguese first

Two years ago, Alcatel Submarine Networks became the first cable provider to commit to SMART, while Portugal’s telecom regulator ANACOM pledged to build SMART into the new CAM [Continent‑Azores‑Madeira] ring cable connecting the mainland to islands a thousand kilometres out in the Atlantic Ocean.

“SMART cables have been on our agenda since 2018, when planning the replacement of the ageing existing cables,” says João Cadete de Matos, Chair of ANACOM.

The submarine cable division of NEC Japan has installed more than 6000 kilometres of submarine cables dedicated to scientific sensing, which are now operated by Japan’s National Research Institute for Earth Science and Disaster Resilience. The first submarine cables for tsunami forecasts were deployed 12 years ago, and the network was expanded after the 2011 Great East Japan Earthquake — but without supporting commercial telecoms in parallel.

The Brazil‑Portugal trans‑Atlantic cable system, known as EllaLink, was the first to dedicate a fibre of a commercial telecoms cable to environmental sensing, between Madeira Island and the trunk cable. Portugal now plans to include full‑fledged SMART capability in the new CAM cable ring, with sensors embedded in the 50 or so repeaters distributed at 70‑kilometre intervals along the 3700‑kilometre system.

“We understood the significance of the opportunity. Three tectonic plates meet in this region, making it prone to earthquakes, and much international data traffic will run through the region,” says Matos.

This system could become the first step towards commercial telecom cables equipped with SMART capabilities.

“Portugal has been a huge voice of support. Some 15 to 20 per cent of international submarine cables will pass through Portuguese waters,” says Howe. “Portugal’s experience can catalyse the growth of a SMART cable community in Europe and globally.”

Added SMART capability will form around 10 per cent (EUR 12 million, or about USD 13 million) of the total cost to deploy the new government‑sponsored CAM cable. Expected to enter service in 2025, the cable will be constructed integrating sensors built by specialized companies.

Other SMART projects are in various stages of planning and development in Indonesia, the Vanuatu–New Caledonia island area, and even Antarctica.

The project between Vanuatu and New Caledonia — supported by the Joint Task Force with funding from the Gordon and Betty Moore Foundation — will establish cable linkage across a “young” subduction zone (just 50 million years of age), complete with a 6500‑metre‑deep trench where hundreds of earthquakes are known to happen each year, with associated tsunami risks.

“This project will be a major accomplishment for the Joint Task Force,” says Howe, “and important in forming the foundations of an enduring regional science and early‑warning ecosystem, bringing together scientific communities, providing training, and bringing more confidence to government and industry.”

Smarter sensors

SMART cables include tried‑and‑tested environmental and hazard‑monitoring sensors in cable repeaters, which house devices amplifying the optical communication signals at intervals along a submarine cable.

Three sensors measure ocean‑bottom temperature as an indicator for climate trends; pressure for sea‑level rise, ocean currents, and tsunamis; and seismic acceleration for earthquake detection and tsunami alerts. Sensors should be operational at all times, and all detected data will be transmitted to cable landing stations at the speed of light.

“The three sensors will give us essential ocean variables, and they are compact and robust, and relatively easy to integrate in cable repeaters,” says Howe.

And SMART monitoring will keep getting smarter, he adds.

“In 10 years, we could consider more elaborate sensing capabilities, such as salinity, to add to what temperature and pressure tell us about circulation; water chemistry to understand risks like ocean acidification; and ocean sound measurements for monitoring marine mammals and biodiversity.”

Undersea and under budget

For now, some 70 DART buoys — for Deep‑ocean Assessment and Reporting of Tsunamis — are the principal existing means of tsunami detection.

But 30 per cent of those are typically out of service at any time, says Howe. By contrast, probability studies suggest a failure rate of just 5 per cent for the new sensors over a cable’s 25‑year operational life.

A SMART cable spanning the Pacific region, where most of the US‑operated DART buoy network is located, could therefore come at a more attractive price as well as offer more valuable and reliable real‑time data with no maintenance.

The current DART buoy programme run by the US National Oceanic and Atmospheric Administration (NOAA) costs USD 27 million a year, while the international Argo programme, with 4000 expendable floats, costs around USD 32 million a year.

The US National Science Foundation’s Ocean Observation Initiative, using buoys, gliders, autonomous vehicles, and a cable system, has annual operating costs of about USD 44 million, on top of some USD 400 million it took to set up.

In contrast, the Joint Task Force calculates annual expenditures of just USD 40 million to sustain 2000 SMART cable repeaters in 30 systems around the world, assuming a very conservative 10‑year refresh cycle.

Find more resources and contact the ITU/WMO/UNESCO-IOC Joint Task Force on SMART Cable Systems.

[Source: ITU]
Leave a comment , ,

Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities

Agency News, Industry News, University/Research/Academia sector

Over 2 million foreign students and scholars studied at U.S. universities in 2019, in many cases contributing to U.S. research. The U.S. government implements export controls to, among other things, mitigate the risk of foreign students' and scholars' obtaining controlled and sensitive information that could benefit foreign adversaries.

GAO was asked to review agencies' efforts to address risks associated with foreign students and scholars who may seek to evade export control regulations. This report examines the extent to which agencies are assessing universities' risk of unauthorized deemed exports to prioritize outreach.

GAO reviewed related laws and regulations; analyzed agency data; and interviewed agency officials in Washington, D.C., and 15 U.S. field offices. GAO based its selection of these offices on their proximity to research universities, their geographic dispersion, and other agencies' field office locations.

This is a public version of a sensitive report issued in March 2022 that included additional information on (1) challenges agencies face in efforts to enforce export control regulations, particularly for deemed exports at universities, and (2) the extent to which agencies coordinate their efforts and share information. Information that agencies deemed sensitive has been removed.

According to U.S. government agencies, foreign entities are targeting sensitive research conducted by U.S. universities and other institutions. Releases or other transfers of certain sensitive information to foreign persons in the United States are subject to U.S. export control regulations. Such releases or transfers, which are considered to be exports, are commonly referred to as deemed exports. A U.S. Assistant Secretary of State wrote in 2020 that greater attention needed to be paid to deemed exports. He noted that these transfers, including the “know how” of cutting-edge science and its applications, are what China's military–civil fusion strategy seeks in its attempts to mine and exploit U.S. academia's open knowledge system.

Agencies involved in enforcing export control regulations—the Departments of Commerce and Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)—conduct outreach to universities to strengthen efforts to prevent sensitive technology transfers, including unauthorized deemed exports. According to officials, outreach increases awareness of threats to research security and builds stronger two-way relationships with university officials. The agencies identified this outreach as a key enforcement mechanism.

However, additional information about universities' risks could enhance the agencies' outreach efforts. For example, Commerce does not base its outreach on analysis of universities' risk levels and has not identified any risk factors to guide its outreach priorities. DHS has ranked roughly 150 U.S. universities for outreach, and FBI provides information to all of its field offices to guide their outreach priorities; however, both agencies base these efforts on only one risk factor. Identifying and analyzing any additional relevant risk factors could provide a more complete understanding of universities' risk levels and could further inform Commerce's, DHS's, and FBI's efforts to target limited resources for outreach to at-risk universities.

Leave a comment , ,

DOE Should Address Lessons Learned from Previous Disasters to Enhance Resilience

Agency News, Industry News, Power/Energy/Oil & Gas sector

Natural disasters, such as cyclones, earthquakes, hurricanes, wildfires, and severe storms—and the power outages resulting from these disasters—have affected millions of customers and cost billions of dollars. The growing severity of wildfires and extreme weather events in recent years has been a principal contributor to an increase in the frequency and duration of power outages in the U.S. Federal agencies, such as DOE and the Federal Emergency Management Agency, play a significant role in disaster response, recovery, and resilience.

This report (1) identifies lessons learned from federal, state, and other entities' responses to selected disasters that affected the electricity grid from 2017 to 2021; and (2) examines federal agency actions to address those lessons learned. GAO selected a nongeneralizable sample of 15 of 35 disasters that affected the grid from 2017 to 2021. The 15 selected were among the most severe events across a range of types, locations, and years. GAO also examined agency and industry responses; reviewed relevant reports, policies, and documents; and interviewed federal, state, and local officials, as well as selected industry stakeholders.

Power outages caused by natural disasters have affected millions of customers and cost billions of dollars. The Department of Energy plays a key role in disaster response and long-term electricity grid recovery.

DOE has taken some steps to improve its workforce and training, tools and technology, and local capacity to respond to disasters. But, DOE doesn't have a comprehensive plan for coordinating response and recovery responsibilities within the agency. In addition, DOE hasn't used lessons learned from previous disasters to prioritize recovery efforts.

In responding to selected disasters occurring between 2017 and 2021, federal, state, and other stakeholders identified lessons learned in the areas of planning and coordination, workforce and training, tools and technology, and local capacity. In the area of planning and coordination, agency officials and reports highlighted that disaster responses were more effective when strong working relationships existed between federal, industry, and local stakeholders. Regarding workforce and training, a Department of Energy (DOE) report emphasized the importance of having a dedicated pool of responders with expertise in grid reconstruction and recovery, especially when responding to multiple, concurrent or successive disasters.

Federal agencies have taken steps to address lessons learned by improving workforce and training, tools and technology, and local capacity. For example, to address workforce lessons, DOE began deploying a Catastrophic Incident Response Team to quickly bring responders with subject-matter expertise to affected areas. However, DOE does not have a comprehensive approach for coordinating its broader grid support mission that includes disaster response, grid recovery, and technical assistance efforts. Specifically, roles and responsibilities within DOE for transitioning from response to recovery are unclear, as are how lessons learned from previous disasters are used to prioritize recovery and technical assistance efforts. GAO's Disaster Resilience Framework states that bringing together the disparate missions and resources that support disaster risk reduction can help build resilience to natural hazards. By establishing a comprehensive approach that clearly defines roles and responsibilities, and acting on lessons learned across DOE, the department could better target resources and technical assistance. This approach, in turn, can lead to enhanced grid resilience and reduced disaster risk.

 

Leave a comment , , , ,

NSA, CISA, and FBI Expose PRC State-Sponsored Exploitation of Network Providers, Devices

Agency News, Cyber Security CII sector

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory (CSA) today, “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.” The advisory highlights how People’s Republic of China (PRC) actors have targeted and compromised major telecommunications companies and network service providers primarily by exploiting publicly known vulnerabilities. Networks affected have ranged from small office/home office (SOHO) routers to medium and large enterprise networks.

The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns. Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public and private sector targets.

General mitigations outlined in the advisory include: applying patches as soon as possible, disabling unnecessary ports and protocols, and replacing end-of-life network infrastructure. NSA, CISA, and FBI also recommend segmenting networks and enabling robust logging of internet-facing services and network infrastructure accesses.

The advisory is broken down into three sections: an explanation of common vulnerabilities exploited by PRC state-sponsored cyber actors, an introduction of how telecommunications and network service provider targeting occurred through open source and custom tools, and an overview of recommended mitigations.

Leave a comment , , ,

DOD Needs to Improve Performance Reporting and Cybersecurity and Supply Chain Planning

Agency News, Cyber Security CII sector, Industry News

For fiscal year 2022, DOD requested approximately $38.6 billion for its unclassified IT investments. These investments included programs such as communications and command and control systems. They also included major IT business programs, which are intended to help the department carry out key functions, such as financial management and health care.

The NDAA for FY 2019 included a provision for GAO to assess selected DOD IT programs annually through March 2023. GAO's objectives for this review were to (1) examine how DOD's portfolio of major IT acquisition business programs has performed; (2) determine the extent to which the department has implemented software development, cybersecurity, and supply chain risk management practices; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.

To address these objectives, GAO determined that DOD's major IT business programs were the 25 that DOD reported to the federal IT Dashboard as of December 2021 (The IT Dashboard is a public website that includes information on the performance of IT investments). GAO examined DOD's planned expenditures for these programs from fiscal years 2020 through 2022, as reported in the department's FY 2022 submission to the Dashboard.

GAO obtained the programs' operational performance data from the Dashboard and compared the data to OMB guidance. It also met with DOD CIO officials to determine reasons why programs were not reporting data in accordance with guidance.

In addition, GAO aggregated program office responses to a GAO questionnaire that requested information about cost and schedule changes that the programs experienced since January 2020.

GAO also aggregated DOD program office responses to the questionnaire that requested information about software development, cybersecurity, and supply chain risk management plans and practices. GAO compared the responses to relevant guidance and leading practices.

Further, GAO reviewed actions DOD has taken to implement its plans for addressing previously identified legislative and policy changes that could affect its IT acquisitions. This included reviewing information associated with the department's efforts to (1) finalize strategies for its business system and software acquisition pathways; (2) implement modern approaches to software development such as transitioning to Agile; and (3) reorganize the responsibilities of the former Chief Management Officer throughout the department. GAO met with relevant DOD officials to discuss each of the topics addressed in this report.

According to the Department of Defense's (DOD) fiscal year (FY) 2022 submission to the federal IT Dashboard, DOD planned to spend $8.8 billion on its portfolio of 25 major IT business programs between FY 2020 and 2022. In addition, 18 of the 25 programs reported experiencing cost or schedule changes since January 2020. Of these programs, 14 reported the extent to which program costs and schedules had changed, noting cost increases ranging from $0.1 million to $10.7 billion and schedule delays ranging from 5 to 19 months. Program officials attributed the changes to various factors, including requirement changes or delays, contract developments, and technical complexities.

Programs also reported operational performance data to the federal IT Dashboard. As of December 2021, the 25 programs collectively identified 172 operational performance metrics consistent with Office of Management and Budget (OMB) guidance. These metrics covered a range of performance indicators such as the timeliness of program deliverables and the percentage of time that systems were available to users. However, programs only reported progress on 77 of the 172 operational performance targets.

Nineteen programs did not fully report progress on their operational performance. Officials from the Office of the DOD CIO stated that programs that have operational performance measures should be reporting them to the Dashboard. They added that there were multiple factors that could have led to programs not reporting the metrics, including a reorganization that shifted responsibilities for IT investment management and confusion about the reporting requirement. Nevertheless, by reporting incomplete performance data, DOD limits Congress' and the public's understanding of how programs are performing.

As of February 2022, DOD program officials from all 11 (of the 25) major IT business programs that we considered to be actively developing new software functionality reported using recommended iterative development practices that can limit risks of adverse cost and schedule outcomes. Officials from eight of the 11 programs reported using Agile software development, which can support continuous iterative software development. Officials for five of the programs also reported delivering software functionality every 6 months or less, as called for in OMB guidance. Officials for three programs reported a frequency greater than 6 months and officials from the remaining three did not indicate a frequency.

In addition, as of February 2022, officials from the 25 major IT business programs reported on whether they had an approved cybersecurity strategy as required by DOD.

Officials from DOD CIO stated that they will follow up with the programs that did not provide an approved cybersecurity strategy. Until DOD ensures that these programs develop strategies, programs lack assuance that they are effectively positioned to manage cybersecurity risks and mitigate threats.

Officials from the 25 programs also reported on whether they had a system security plan that addresses information and communications technology (ICT) supply chain risk management, as called for by leading practices.

DOD guidance does not require programs to address ICT supply chain risk management in security plans. According to officials from DOD CIO, IT programs might address supply chain risk management in program protection plans. In addition, they noted that recent supply chain efforts have been focused on weapons systems. However, 15 of DOD's major IT programs did not demonstrate that they had a supply chain risk management plan. Until DOD ensures that these programs have such plans, they are less likely to be able to manage supply chain risks and mitigate threats that could disrupt operations.

Regarding actions to implement legislative and policy changes, the National Defense Authorization Act (NDAA) for FY 2021 eliminated the DOD chief management officer (CMO) position. This position previously had broad oversight responsibilities for DOD business systems. In September 2021, the Deputy Secretary of Defense directed a broad realignment of the responsibilities previously assigned to the CMO. GAO will continue to monitor DOD's efforts to redistribute the roles and responsibilities formerly assigned to the CMO.

Leave a comment , , ,

Coordinated Vulnerability Disclosure policies in the EU

Agency News, Cyber Security CII sector, Industry News

Vulnerability disclosure has become the focus of attention of cybersecurity experts engaged in strengthening the cybersecurity resilience of the European Union. The valid source of concern comes from the cybersecurity threats looming behind vulnerabilities, as demonstrated by the impact of the Log4Shell vulnerability.

Security researchers and ethical hackers constantly scrutinise ICT systems - both open source and commercial closed source software - to find weaknesses, misconfigurations, software vulnerabilities, etc. A wide range of issues are thus revealed: weak passwords, fundamental cryptographic flaws or deeply nested software bugs.

Identifying vulnerabilities is therefore essential if we want to prevent attackers from exploiting them. It is important to consider that attackers can always develop malware specially designed to exploit vulnerabilities disclosed to the public. Besides the identification itself, vendors can also be reluctant to acknowledge vulnerabilities as their reputation might be damaged as a consequence.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process by which vulnerabilities finders work together and share information with the relevant stakeholders such as vendors and ICT infrastructure owners.

CVD ensures that software vulnerabilities get disclosed to the public once the vendor has been able to develop a fix, a patch, or has found a different solution.

What are national CVD policies?

National CVD policies are national frameworks of rules and agreements designed to ensure:

researchers contact the right parties to disclose the vulnerability;
vendors can develop a fix or a patch in a timely manner;
researchers get recognition from their work and are protected from prosecution.

What is the situation in the EU?

The report published today maps the national CVD policies in place across the EU, compares the different approaches and, highlights good practices.

The analysis allows a wide disparity to be observed among Member States in relation to their level of CVD policy achievement. At the time the data used in the report was collected, only four Member States had already implemented such a CVD policy, while another four of them were about to do so. The remaining Member States are split into two groups: those currently discussing how to move forward and those who have not yet reached that stage.

What are ENISA’s recommendations to promote CVD?

The main recommendations from the analysis of nineteen EU Member States include:

Amendments to criminal laws and to the Cybercrime Directive to offer legal protection to security researchers involved in vulnerability discovery;
the definition of specific criteria for a clear-cut distinction between “ethical hacking” and “black hats” activities prior to establishing any legal protection for security researchers;
incentives to be developed for security researchers to actively participate in CVD research, either through national or European bug bounty programmes, or through promoting and conducting cybersecurity training.

Apart from the above, additional recommendations are issued in relation to the economic and polical challenges and also address operational and crisis management activities.

Next steps

The Commission’s proposal for the revision of the Network and Information Security Directive or NIS2 proposal, provides for EU countries to implement a national CVD policy. ENISA will be supporting the EU Member States with the implementation of this provision and will be developing a guideline to help EU Member States establish their national CVD policies.

In addition, ENISA will need to develop and maintain an EU Vulnerability database (EUVDB). The work will complement the already existing international vulnerability databases. ENISA will start discussing the implementation of the database with the European Commission and the EU Member States after the adoption of the NIS2 proposal.

Background material

The report builds upon previous work performed by ENISA in the field of vulnerabilities. ENISA issued a report on good practices on vulnerability disclosure in 2016, and the economic impact of vulnerabilites was explored in detail in 2018. In addition, the limitations and opportunities of the vulnerability ecosystem were analysed in the ENISA 2018/2019 State of Vulnerabilities report.

Leave a comment ,

Suspected head of cybercrime gang arrested in Nigeria

Agency News, Cyber Security CII sector, Industry News

The cybercrime unit of the Nigeria Police Force arrested a 37-year-old Nigerian man in an international operation spanning four continents, coordinated and facilitated by the recently created Africa operations desk within INTERPOL’s cybercrime directorate.

The suspect is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims.

Law enforcement and cybersecurity firms have witnessed the striking increase in many forms of cybercrime in recent years, exploiting the context of COVID-19 and forming what INTERPOL Secretary General Jürgen Stock has called a “parallel pandemic”.

INTERPOL’s Africa desk, called the African Joint Operation against Cybercrime (AFJOC) and funded by the UK Foreign Commonwealth and Development Office, was launched in May 2021 to boost the capacity of 49 African countries to fight cybercrime.

Tracking the suspect’s movements, online and offline

That same month, the police operation, codenamed Delilah, was initiated by an intelligence referral from several INTERPOL partners from the private sector: Group-IB, Palo Alto Networks Unit 42 and Trend Micro.

The intelligence was enriched by analysts within INTERPOL’s Cyber Fusion Centre, which brings together experts from law enforcement and industry to turn information on criminal activities into actionable intelligence. INTERPOL’s AFJOC desk then referred the intelligence to Nigeria and followed up with multiple case coordination meetings supported by law enforcement in Australia, Canada and the United States.

Investigators began to map out and track the alleged malicious online activities of the suspect, thanks to ad hoc support from private sector firm CyberTOOLBELT, as well as tracking his physical movements as he travelled from one country to another. Nigerian law enforcement successfully apprehended the suspect at Murtala Mohammed International Airport in Lagos.
“The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and INTERPOL’s private sector partners in combating cybercrime.” Garba Baba Umar, Assistant Inspector General of the Nigeria Police Force, Head of Nigeria’s INTERPOL National Central Bureau and Vice President for Africa on INTERPOL’s Executive Committee.

“I hope the results of Operation Delilah will stand as a reminder to cybercriminals across the world that law enforcement will continue to pursue them, and that this arrest will bring comfort to victims of the suspect’s alleged campaigns,” the Assistant Inspector General added.

“This case underlines both the global nature of cybercrime and the commitment required to deliver a successful arrest through a global to regional operational approach in combatting cybercrime,” said Bernardo Pillot, INTERPOL’s Assistant Director, Cybercrime Operations.

“The persistence of national law enforcement agencies, private sector partners and the INTERPOL teams all contributed to this result, analysing vast quantities of data and providing technical and live operational support,” Mr Pillot added. “Cybercrime is a threat that none of our 195 member countries face alone.”

Leave a comment , ,
1 21 22 23 24 25 60