Marshals Service Cyber Intrusion
The US Marshals Service (USMS), an agency within the Department of Justice, was hacked during February 2023.
Hackers reportedly gained access to sensitive information, including legal process information, administrative information, and also personally identifiable information pertaining to subjects of USMS investigations, third parties and some USMS employees.
The hacking encompassed a ransomware and data exfiltration event affecting what appears to be a single stand-alone USMS system. The agency classified the incident as a “major incident,” which necessitated Congressional notification.
Federal "Zero Trust"
The Office of Management and Budget (OMB) issued (July 22) FY 2024 budget guidance to agencies on cybersecurity, including Zero Trust Implementation at the top of its list. The Guidance is consistent with more detailed zero trust guidance issued in January.
Federal agencies are expected to achieve certain zero trust goals by the end of 2024, and “demonstrate a commitment in their budget submission to making this shift and achieving a new and more resilient foundational state.”
The core concept behind zero trust is that an organization's devices should not be trusted by default, even if they are previously-verified and connected to an organization's network; that; an authentication approach should be structured in a manner that minimizes the risk that a person/device is who they say they are when a network is being accessed and utilized (e.g., through two-way authentication where two parties are authenticating each other at the same time).
Significant CISA Funding Increase for FY 2022
The Congress passed final FY 2022 funding for the Federal Government (March 10, 2022) to include a $569 million, 28% increase for the principal Federal cybersecurity organization – the Cybersecurity and Infrastructure Security Agency (CISA) – for, among other things, cyber threat hunting (+$120 million); the CyberSentry program (+$95 million); and cybersecurity vulnerability management (+$64 million).
Cybersecurity Reporting Period Approved
Cyber attack reporting requirements for critical infrastructure owners and operators were enacted as part of FY 2022 omnibus funding legislation. Specifically, reporting will be required to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours in the event of a substantial cyber-attack, and within 24 hours if the entity chooses to make a ransomware payment.
Similar cybersecurity reporting proposals were considered during consideration of last year’s enacted Infrastructure Investment and Jobs Act, but were apparently removed given the concerns of some Senators regarding burdens on business. Increasing cybersecurity concerns with Russia’s invasion of Ukraine and the resulting sanctions, helped put this matter back on the table. CISA rulemaking tied to the new requirement could take months, if not years to finalize, though some kind of interim rules could be put into place immediately.
In a related action, the Securities and Exchange Commission (SEC) announced (March 9, 2022) a proposed rule intended to address disclosure requirements for public companies with respect to cybersecurity. Most significantly, the rule will require public companies to disclose a “material” cybersecurity incident within four business days of the incident.
Infrastructure Bill - Cybersecurity
The Infrastructure Investment and Jobs Act provides $1 billion over four years for grants to states and localities to enhance cybersecurity in government systems. The program encompasses the House-passed State and Local Cybersecurity Improvement Act.
Cybersecurity Blacklist Additions
The Bureau of Industry and Security (BIS) of the Commerce Department added four entities to its "Entity List" through a final rule, a list that effectively 'blacklists' the entities by making them subject to a rigorous licensing process to conduct commercial activities. The Entity List is a tool utilized by BIS to restrict the export, reexport, and in-country transfer of items reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States. The four entities include two entities from Israel, one from Russia, and one from Singapore.
Justice Cyber Fraud Initiative
The Department of Justice (DOJ) announced (October 6, 2021) that it is implementing a "Civil Cyber-Fraud Initiative" that will pursue cybersecurity-related fraud by government contractors and grant recipients. Under the Initiative, DOJ says it will use the current-law False Claims Act to pursue claims related to cybersecurity. The Act includes a whistleblower provision which allows private parties to assist the government in identifying and pursuing fraudulent conduct.
According to DOJ, the goal of using the Act for this initiative is to hold entities/individuals accountable if they "put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."
Third Party Software Vulnerability/Software "Supply Chain" Security
The Biden Administration's cybersecurity Executive Order (EO) 14208 includes provisions to address third party software vulnerability, or the software "supply chain" for software that Federal agencies use. The EO is focuses on ‘‘critical software’' described as "software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)". The National Institute of Standards and Technology (NIST) has established a definition of critical software, security measures for such software, and minimum standards for vendor testing of software.
No Results Found
DOJ Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion
This memo from DOJ to Federal prosecutors was intended to enhance situational awareness and strengthen coordination on ransomware investigations and prosecutions.
Status: the memo was transmitted on June 3, 2021.
Improving the Nation’s Cybersecurity - Executive Order
This Executive Ordert (14028) is intended to address cybersecurity within the Federal Government in such areas as adoption of a "zero trust" security architecture, information sharing with IT service providers, and security software standards.
Status: this EO was published on May 17, 2021.
Export of Hacking Tools - IFR
This is an Interim Final Rule (IFR) from the Bureau of Industry and Security of the U.S. Department of Commerce. The IFR requires companies to secure a license to export intrusion software and related technologies to countries to whom the United States has national security concerns.
Status: as an IFR, the rule is in effect as of the publishing date of October 21, 2021. The agency has, however, requested comments and any final rule may make changes to this IFR.
Secure Equipment Act of 2021
This law provides that the Federal Communications Commission (FCC) cannot consider communications equipment approvals for use in the United States that are from companies identified by the FCC as being "national security threats". Chinese communications companies Huawei and ZTE were identified as national security threats in 2020.
Status: this law was enacted on November 11, 2021.
Paris Call for Trust and Security in Cyberspace
The Paris Call is a cooperation and collaboration framework between governments and the private sector built on nine principles intended to advance cybersecurity.
Status: the United States joined the Paris Call on November 11, 2021.