Cybersecurity Update – June 2021

Cybersecurity was front-page news in May, here is a look at cybersecurity news and resources from the past month.

by John Guerriero

With the Colonial Pipeline hack, cybersecurity was front-page news in May. In the wake of the attack, DHS announced cyber requirements for critical pipeline owners and operators, President Biden signed a Cybersecurity Executive Order aimed at the modernization of cybersecurity defenses and improving information sharing, and CISA and the FBI released a cybersecurity advisory on best practices for preventing business disruption from specific ransomware actors. 

While the attack certainly raised public awareness of the rapidly evolving and expanding technological threats we now face, cybersecurity has long been a critical issue for Governors. Here are some of the other items the Resource Center for State Cybersecurity has been following:

Microsoft Announces New NOBELIUM Campaign

The Microsoft Threat Intelligence Center (MSTIC) has discovered a large-scale, sophisticated email campaign targeting government entities as well as intergovernmental and non-governmental organizations. The campaign uses compromised credentials from Constant Contact – an email marketing software company – to send phishing emails that appeared to be from the U.S. Agency for International Development (USAID) to deliver malicious links. The MSTIC has outlined motives, indicators of compromise and recommended mitigations. While official attribution has not occurred, the MSTIC reports that the campaign is operated by Nobelium, the threat actor behind the SolarWinds attacks. Read its blog here.

CISA and the FBI released a joint advisory on the campaign here. The U.S. Department of Justice also seized two domain names used by the campaign.

President Biden’s Proposed Budget Includes Cybersecurity Increases

President Biden’s proposed budget released last week calls for nearly $10 billion in federal civilian cybersecurity funding, an increase of 14% from this current fiscal year. The plan also includes $750 million reserved to respond to lessons learned from the SolarWinds incident. Other notable items from the budget include an additional $500 million to the Technology Modernization Fund which will look to update federal IT systems and equipment. Read the President’s proposal here.

GAO Reports: Cyber Insurance & Federal Agency Supply Chain Risk

The U.S. Government Accountability Office (GAO) released a report on the current cyber insurance market, finding that take-up rates and the price of insurance have increased significantly since 2016. Likewise, the GAO also found that coverage limits have been reduced in certain sectors (e.g., healthcare and education). The report calls for increased collaboration between the public and private sector on information on cyber events and more consistent terminology and policy language. Read more here.

The GAO released a separate report on federal agencies’ need to implement recommendations to manage supply chain risks. Federal agencies rely extensively on information and communication technology (ICT) products and services (e.g., computing systems, software, and networks) to carry out their operations. However, agencies face numerous ICT supply chain risks that threaten to compromise the confidentiality, integrity, or availability of an organization’s systems and the information they contain. Read more here.

COVID-19 Response Spotlights Critical Role Local CIOs Play

CompTIA’s Public Technology Institute published their annual study of city and county technology and workforce trends. The 2021 study focuses on ten sections, including Cybersecurity; the Impact of COVID-19 on IT Operations; The Cloud and Managed Services; Smart City/County Strategies; Emerging Tech; and State of Skills of IT Personnel. Read the full report here.

Proofpoint 2021 Voice of the CISO Report

Proofpoint released its inaugural 2021 Voice of the CISO report which explores key challenges facing chief information security officers over the past year. The report surveyed 1,400 CISOs around the world on their experience from the last year and their insights for the next 2 years. Among the findings, 66% of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Download the report here.

CISA Potential Threat Vectors to 5G Infrastructure

CISA, in coordination with the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—released a Potential Threat Vectors to 5G Infrastructure paper. This paper identifies and assesses risks and vulnerabilities introduced by 5G technology. Read the paper here.

FTC: Cryptocurrency Buzz Drives Record Investment Scam Losses

Since March 2020, the Federal Trade Commission (FTC) has seen a 1000% rise in the number of reported cryptocurrency scams. Nearly 7,000 people have reported losses of more than $80 million on these scams. This FTC report highlights trends in the data over the past few years and identifies different types of scams used by malicious actors. Read more here.

Eight Virginia Universities Announce Cybersecurity Workforce Projects

Researchers from eight universities in Virginia will take part in $1 million worth of state-funded cybersecurity and autonomous vehicle-focused research projects through a statewide research initiative. The projects are designed to benefit different aspects of the cybersecurity workforce, including bio-cybersecurity and autonomous vehicle cybersecurity, as well as boosting cybersecurity startups and expanding internships programs. Read more here.

Hackers Threaten to Release Police Records, Knock 911 Offline

The Babuk cybergang that breached the Washington, D.C. Metropolitan Police Department is threatening to release the personal information of more officers if officials do not pay ransom. In April, the group breached the network and released the personal information of nearly two dozen officers, including Social Security numbers and psychological assessments. Read more here.

Public Comment Period Opens for National K-12 Cybersecurity Learning Standards

CYBER.ORG announced the opening of the public comment period for the most recent version of the K-12 cybersecurity learning standards that have been underway since September 2020. The public comment period closes on June 4th and the feedback will be incorporated into the final version of the standards, which CYBER.ORG plans to release publicly at the start of the 2021-22 school year, with voluntary adoption likely to begin in states the following year. Read more about the standards and the comment process here.