Cyber Intelligence Weekly (July 2, 2023): Our Take on Three Things You Need to Know
Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!
To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe
Before we get started on this week’s CIW, I’d like to highlight an insightful article published by our partner Prevalent and written by, Tom Garrubba, Director of TPRM Services at Echelon Risk + Cyber, shares his expertise in cybersecurity, data privacy, audit, compliance, and consulting. Gain valuable insights on documentation, corporate policies, and meaningful metrics to streamline your TPRM program.
Away we go!
1. SEC's Warning Shot: SolarWinds' CISO and Employees May Face Enforcement Action
The Securities and Exchange Commission (SEC) has taken a rare legal action by sending notice to SolarWinds' Chief Information Security Officer (CISO) and other employees, indicating that they may face civil enforcement action over the Russian hack of the company. The SEC issued these "Wells Notices" to the employees, which notify them that the agency believes they may have violated federal securities laws. The notices went to Tim Brown and Barton Kalsu. Brown, who is the current CISO of SolarWinds, was head of security architecture for the company at the time of the breach. Kalsu is the company’s CFO
The recipients of the notices have the opportunity to respond to the SEC in writing before any decisions are made. SolarWinds, as an organization, had already received a Wells notice last year, but the notices to specific employees are new. The SEC previously found issues with the company's cybersecurity disclosures and public statements surrounding the breach. If the SEC proceeds with legal action, the employees could face penalties and be barred from serving as officers or directors of any public company in the future.
This move by the SEC is significant, particularly for the targeted CISO, as Wells notices are uncommon in relation to cybersecurity matters. Typically, such notices are related to securities or financial fraud that can impact a company's stock price or value. However, in the era of large-scale cyberattacks like the SolarWinds breach, the SEC recognizes the broader impact these incidents have on entire sectors. The SEC's actions indicate a growing commitment to expanding its role in cybersecurity oversight. Last year, the commission increased the size of its Crypto Assets and Cyber Unit, and it proposed amendments to cybersecurity rules for public companies. The SEC aims to ensure companies disclose information about their cybersecurity policies, procedures, and incidents.
SolarWinds' CEO, Sudhakar Ramakrishna, responded to the Wells notices, expressing the company's confidence that it acted appropriately both before and in response to the attack. Ramakrishna emphasized that the cyberattack was carried out by a nation-state actor using sophisticated techniques that were difficult to prevent. The company disclosed the breach to the SEC and the public promptly after discovery. However, the SEC may argue that SolarWinds failed to fully secure its build environment, allowing the breach to occur. This case could set a precedent for future legal actions by the SEC against CISOs and companies in relation to cybersecurity incidents, as the commission expands its focus on protecting investors from cyber-related threats.
2. Apple Joins WhatsApp and Signal in Voicing Concerns over UK's Online Safety Bill
In a growing chorus of opposition, Apple has expressed serious reservationsv about the UK's proposed Online Safety Bill, citing potential threats to end-to-end encryption. The company warns that the bill, if implemented as written, could compromise the privacy and security of UK citizens. Apple joins the ranks of encrypted messaging services like WhatsApp and Signal in objecting to a provision that would require tech companies to use "accredited technology" to identify and remove child sexual abuse content. This demand to scan messages for illegal content, even with measures like client-side scanning, would undermine the fundamental principle of end-to-end encryption.
End-to-end encryption is a critical tool that safeguards the privacy of journalists, human rights activists, diplomats, and everyday citizens alike. Apple argues that the proposed bill poses a significant risk by nullifying the purpose of end-to-end encryption, potentially exposing users to surveillance, identity theft, fraud, and data breaches. The company advocates for explicit protections for end-to-end encryption within the bill, recognizing the vital role it plays in defending against intrusive surveillance and protecting sensitive information.
While the government asserts that the bill's rules are essential for apprehending criminals, the opposition maintains that a balance must be struck between strong encryption and public safety. The Online Safety Bill, currently progressing through the UK's House of Lords, has generated controversy with various amendments aiming to combat deepfake images and revenge porn. As discussions continue, the bill's potential impact on privacy, security, and the rights of UK citizens remains a topic of intense debate.
Overall, the Online Safety Bill has sparked concerns among technology companies and privacy advocates who emphasize the need to uphold end-to-end encryption and protect user privacy while addressing legitimate concerns about online safety and illegal content. The outcome of this ongoing debate will have far-reaching implications for the future of online communication and the delicate balance between privacy, security, and public safety.
3. MOVEit Ripples Continue to be Felt in Massive CalPERS Breach
The personal information of approximately 769,000 retired California employees and beneficiaries, including Social Security numbers, has been exposed in a data breach, according to CalPERS, the country's largest public pension fund. The breach occurred as a result of a cyberattack on a third-party vendor responsible for verifying deaths. The vendor, PBI Research Services/Berwyn Group, also experienced a data breach where the personal information of at least 2.5 million Genworth Financial policyholders, including Social Security numbers, was stolen by the same cybercriminal group.
The breach of the file-transfer application, MOVEit, has impacted numerous organizations globally, including federal agencies, universities, and major companies such as Ernst & Young, British Airways, and the BBC. The criminal gang behind the attack, known as Cl0p, has been extorting victims and threatening to release their data online if they refuse to pay. CalPERS and Genworth have taken steps to mitigate the damage caused by the breach, including offering affected individuals credit monitoring and identity theft protection.
This incident highlights the vulnerability of supply-chain hacks and the importance of strong defense in depth security measures and implementing zero-trust principles. CalPERS CEO, Marcie Frost, expressed dissatisfaction with the breach and emphasized the need for immediate action to protect members' financial interests. CalPERS, with its significant assets and membership, aims to address the breach's impact and ensure long-term safeguards are in place. As investigations continue, affected individuals will be notified, and efforts to enhance security measures will be implemented to prevent future breaches.
Thanks for reading!
About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about