Updates to CFAA guidance, ransomware progress and problems with a Pentagon cyber push
FAndrey/Flickr
Welcome to Changelog for 5/22/22, published by Synack! Blake here, struggling to beat the heat in Washington. We’ve seen our first 90-plus-degree days since fall over the weekend, and there’s more to come this summer. I’ll consider it practice for Hacker Summer Camp in August. Now, for some cool news:
The payload
The Computer Fraud and Abuse Act is the white whale of the white hat hacking community, tripping up countless well-meaning security researchers since it was signed into law in 1986.
Back then, “laptops” weighed over 10 pounds, and primordial computer viruses spread through floppy disks. Digital rights groups have long since pressured lawmakers and Justice Department officials to revisit the anti-hacking law, which was infamously wielded against computer programmer and posthumous Internet Hall of Famer Aaron Swartz in the early 2010s.
So many cybersecurity and legal experts cheered DOJ’s announcement Thursday that it was revising its prosecutorial approach to alleged CFAA violations, directing that “good-faith security research should not be charged.”
But the law itself still stands. And despite the new DOJ policy — which Cybersecurity and Infrastructure Security Agency Director Jen Easterly lauded as “huge news”—CFAA is bound to remain a sore spot for years.
That’s in part because the CFAA, at its core, does not define what constitutes “unauthorized access, or exceeding authorized access” to a computer. And companies can still sue cybersecurity researchers on CFAA grounds, federal about-faces not withstanding.
DOJ even included a caveat in its announcement Thursday suggesting claims of “research” must at least pass the laugh test:
“[T]he new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith,” DOJ said.
And DOJ attorneys assuredly still have some thoughts on what falls under “bad faith.”
The week, compiled
The Pentagon is plowing ahead with an arcane cybersecurity program that befits the complexity of the U.S. Defense Industrial Base. Small businesses beware: Compliance with the Defense Department’s Cybersecurity Maturity Model Certification program, or CMMC, could be more than a mere nuisance by the time it fires up in summer 2023, as Shaun Waterman reports for README.
Not only do non-cyber experts need to wade through acronym soup to reach accreditation under CMMC, but an estimated 80,000 DOD suppliers could also face six-figure annual price tags just to prove they’re in line with the program.
In all the red tape, it’s easy to forget the stakes: DOD officials have to worry about every company selling into the DIB, whether it’s a cutting-edge cloud computing software provider or a humble concrete supplier. Done right, CMMC could help prevent hackers from exploiting weak points in the DOD supply chain to steal U.S. military secrets. But as Waterman writes, there’s a long road ahead for any company that will need to fall in line with the program.
Vice: Researches from Germany’s Technical University of Darmstadt have shown they can implant malware on an iPhone even when it’s turned off by exploiting a chip used to enable Bluetooth. The demonstration is academic: There’s no easy way for malicious hackers to use the method in practice.
TechCrunch: Speaking of Bluetooth, cybersecurity researchers at the NCC Group in the U.K. said in a technical advisory last week that they could exploit a weakness in Tesla’s Bluetooth Low Energy system to unlock and remotely operate electric vehicles. Again, the attack path is still theoretical.
The Washington Post: The Department of Homeland Security suspended its “Disinformation Governance Board” weeks after announcing it, after critics made Orwellian “Ministry of Truth” comparisons and a good dose of, well, disinformation swirled around the organization and its executive director, Nina Jankowicz.
A message from Synack
Going to the RSA Conference this year? Stop by Synack’s “Journey by the Bay” experience that includes executive thought leadership sessions, demonstrations of Synack solutions and a showcase of emerging cybersecurity companies. And don’t miss our parties that will rock the City by the Bay with live music, libations and food. Find us anytime at Fogo de Chão — 98 steps from RSAC at the Moscone Convention Center. Find out more here.
Flash memory
One year ago, the Institute for Security and Technology’s Ransomware Task Force issued a slate of recommendations aimed at combating one of the most pervasive and costly cyberthreats out there.
Many ideas in the group’s report were laser-focused, like expanding Homeland Security Preparedness grants to encompass cybersecurity threats or building a centralized subrogation fund to help insurance companies navigate the complex and risky world of ransomware cost recovery. Others were more evergreen, such as highlighting the need to boost cyberthreat information sharing or urging governments to crack down on sketchy cryptocurrency exchanges.
IST held a special event Friday to follow up on the response to the volunteer task force’s action items, and speakers broadly welcomed headway in the fight against ransomware.
Still, no one was ready to declare victory.
“I think we’ve made progress… At the end of the day, this is not a problem to be solved,” CISA’s Easterly said as she announced the kickoff of a Joint Ransomware Task Force at the event. “This is a persistent issue.”
Local files
Reuters: India is forging ahead with controversial data breach reporting requirements despite pushback from Big Tech. Companies have voiced concerns that the six-hour deadline for reporting hacks is too onerous.
CyberScoop: Information operations have sprouted up like weeds amid the ongoing war in Ukraine, with the latest campaign originating from a Belarus-backed group that’s pushing lies about a bogus organ-harvesting cabal targeting Ukrainian refugees.
The New York Times: Check Point researchers disclosed a Chinese state-backed hacking campaign targeting Russian defense organizations, showing that Beijing views Moscow as a legitimate target for cyberespionage despite building closer ties with President Putin in recent months.
TechCrunch: Costa Rica’s messy, weeks-long battle with the Conti ransomware gang escalated further, with the cybercriminal organization reportedly doubling its ransom demand to $20 million as Costa Rica President Rodrigo Chaves declared the country “at war” with the group.
Off-script
Explorers in China discovered a secret forest tucked away in a sinkhole deep enough to swallow the Washington Monument.
The awe-inspiring karst formation in southern China’s Guangxi region could host previously unknown animal species, as The Washington Post reported.
It’s the kind of hidden treasure that I’d love to see with my own eyes, were it not to require a terrifying rappel:
That’s it for this week — please send any feedback, tips and last-minute RSA pitches to bsobczak@synack.com. Changelog is taking a Memorial Day break, so see you Sunday, June 5, when I’ll be flying out to San Francisco for RSA!