A national cyber strategy, EPA cyber regulations and one giant leap for space hacking

Pierre-Selim/Flickr

Welcome to Changelog for 3/5/23, published by Synack! Blake here, filling in for Nate Mott over the next few weeks. I just got back from my first visit to San Diego — more on that trip below. Here’s what happened in the world of cyber while I was soaking up some sun (and maybe a little hail):

 

The payload

The Biden administration published its highly anticipated National Cybersecurity Strategy last week, which acting national cyber director Kemba Walden billed as a document that “fundamentally reimagines America’s cyber-social contract.”

The cyber roadmap touches on some familiar themes from former President Trump’s 2018 cyber strategy. These include highlighting the need for the government to partner with the private sector, outlining how to build cyber capacity among international allies and laying plans to enhance the security of U.S. space systems like satellites.

But President Biden evidently wants to goad the private sector into taking more action to secure high-risk networks, whether through regulations (a word mentioned only once — disparagingly — in Trump’s strategy) to “level the playing field” or through legislation to update how and whether companies can be held liable when software vulnerabilities crop up in their products.

In a background call with reporters, Walden acknowledged that the new strategy “asks more of industry,” but she added it “also commits more from the federal government.”

“[F]or government, we have a duty to the American people to also double down on tools that only government can wield, including the law enforcement and military authorities to disrupt malicious cyberactivity and pursue their perpetrators,” she said.

Cybersecurity experts broadly welcomed Biden’s strategy, with many pointing out they’re grateful the White House has a strategy at all. (Some Republican lawmakers offered a more tepid response, cautioning against further mandatory cyber requirements.)

Still, the fact that the document acknowledged the work done by Biden’s predecessor in the Oval Office suggests cybersecurity is one of the last bastions of bipartisanship.

The document “replaces the 2018 National Cyber Strategy but continues momentum on many of its priorities,” it says, “including the collaborative defense of our digital ecosystem.”

The week, compiled

EPA seized the opportunity to release its own cybersecurity mandate in conjunction with the release of the National Cyber Strategy, requiring water utilities evaluate their own digital defenses as part of so-called “sanitary surveys” conducted every few years.

The memo has drawn pushback from industry groups who warned in a recent letter to EPA that the survey updates are “ill-advised, impractical, and are not designed to meaningfully improve system resiliency.” Industry insiders also groused that the Biden administration had not consulted key groups before issuing the new mandate, CyberScoop reported.

 1_p5AtXZJC_G16F4cHzEh3tA
Wikimedia Commons

Cyber vulnerabilities in U.S. water networks snapped into focus following a February 2021 breach of a water treatment facility in Oldsmar, Fla., in which an unknown attacker attempted to ratchet up levels of lye to concentrations that would poison a town of some 15,000 people.

That cyberattack was easily thwarted when an operator saw what was happening and dialed the sodium hydroxide back down before there could be any dangerous changes to the drinking supply.

Still, the episode “could’ve been so much worse,” as one former NSA hacker told the Tampa Bay Times.

Here’s what else caught my eye this week:

Bloomberg: Russia’s “wiper” malware hack of an American satellite company last year turned heads for its widespread impact in Europe and its status as a “wakeup call” to the opaque space services industry. One takeaway, as Bloomberg reported: “It’s tough to fix code in space.”

CNN: A mid-February ransomware attack on the U.S. Marshals Service affected a system containing law enforcement sensitive information, with the Justice Department classifying the breach as a “major incident.”

Wired: Researchers discovered how to reverse engineer a drone operator’s location by latching onto radio signals of certain quadcopters sold by DJI. The problem lies in the devices’ unencrypted DroneID system intended for use by law enforcement and regulators. “Whether you’re privacy-minded or you’re in a conflict zone, nasty stuff can happen,” researcher Moritz Schloegel told Wired.

A message from Synack

Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.

Flash memory

The second annual “Hack-a-Sat” space cybersecurity contest brought a flurry of attention on vulnerabilities in critical communications and GPS networks in December 2021, as README reported at the time. The capture-the-flag hacking competition also carried a hefty $50,000 first prize.

“Seeing these non-traditional, ethical cybersecurity researchers, like we have here, work through [and find vulnerabilities] — it’s invaluable,” said Space Force Capt. Charles “Aaron” Bolen, of Space Systems Command.

 1_Hmhg7-HJsKewGtdpIT3N2g

This year, the competition is opening up to include hacking in-orbit satellites for the first time, raising the stakes for international competitors.

“Space cybersecurity is a global issue, which is why it is important that Hack-A-Sat is open to the global security researcher community,” said Space Systems Command Col. Kenneth Decker. “By sharing our tools and knowledge, we encourage these talented individuals to understand the nuances in building space system resilience and to work in this ever-important domain.”

Eight hundred teams are expected to compete in April for a chance at the grand prize in the finals later this year.

Local files

AP: The Danish parliament is calling on employees and lawmakers to remove TikTok from their work phones, citing a risk of espionage from the popular Chinese-owned social media app. The assembly issued its recommendation based on intelligence from Denmark’s Center for Cyber Security.

The Washington Post: One year after Russia’s reckless invasion of Ukraine ushered in a “hybrid war” of physical and cyber threats, digital defenses around the world have generally improved. The bad news? Russian cyberthreats still pose big risks.

Off-script

I spent last week in San Diego at a “Synack kickoff” all-company event that really underscored how much the pandemic has upended how we work.

I’ve been with Synack for nearly a year and a half now and just met many of my colleagues for the first time at the event.

We heard from some amazing motivational speakers, including Top Gun: Maverick stunt pilot Frank Weisser, and we swung by Marine Corps Air Station Miramar for an unforgettable tour and dinner (plus a group photo):

1_iEEaB56k76hhnx0Dwi-b3w 

That’s all for this week — don’t forget to send tips and feedback to bsobczak@synack.com. See you next Sunday!