Cyber Intelligence Weekly (July 30, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Echelon Risk + Cyber Welcomes Chad LeMaire as Chief Security Officer

Pittsburgh, PA / 23 July 2023 – Echelon Risk + Cyber, a cybersecurity professional services firm, today announced the addition of Chad LeMaire as Chief Security Officer. Chad is a veteran who served in senior executive cybersecurity roles including the Air Force Special Operations Command, Pacific Air Forces, and U.S. Indo-Pacific Command. As CSO, Chad will offer strategic advisory to Echelon clients and lead client-facing offensive and defensive security teams.

Chad is an accomplished senior cybersecurity executive and CIO with more than 30 years of experience leading large organizations and teams, as well as directing strategic cybersecurity efforts. He has held multiple senior level cybersecurity roles for large organizations where he identified cybersecurity gaps, authored strategies, and implemented cybersecurity capabilities. He was a qualified cyber warfare officer in the U.S. Air Force, commanded the Air Force Blue Team, and led cyber incident responses and vulnerability assessments on critical networks and systems within the Department of Defense. Chad pioneered the development of cyber protection teams and the concept of the Director of Cyber Forces within the Air Force. He also built and led small teams and large organizations which conducted offensive, defensive, and cybersecurity operations.

“We are excited and humbled to add someone of Chad’s caliber to our already high-performing team,” said Dan Desko, CEO of Echelon Risk + Cyber. “His unparalleled leadership combined with deep cybersecurity expertise and exemplary service to our country make him the perfect match for Echelon and our clients as we double down on our commitment to protect the basic human right to security and privacy.”

“Echelon’s mission, vision and values are extremely aligned with my passions for helping organizations improve their cybersecurity, and for growing and mentoring people,” said LeMaire. “I’m excited about the opportunity to help Echelon expand into new industries, develop our internal teams, and help our clients operationalize cybersecurity to make it part of their culture.”

Away we go!

1. SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

The Securities and Exchange Commission (SEC) has finalized and voted on their final rule aimed at enhancing cybersecurity disclosures and increasing transparency or cybersecurity oversight and management for public entities.

First proposed on March 9, 2022, the Commission released new potential rules, as well as rule and form amendments, to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incidents by public companies that are subject to the reporting requirements of the Exchange Act. The proposal followed on previous SEC interpretive guidance on the application of existing disclosure requirements to cybersecurity risk and incidents that the Commission and staff had issued in prior years.

After nearly a year and a half wait, as well as multiple comment periods, and 150 comment letters, the final rule is now live.

Major Changes from Previously Proposed Rule:

• The SEC has narrowed the scope of disclosure, adding a limited delay for disclosures that would pose a substantial risk to national security or public safety, as well as, requiring certain updated incident disclosure on an amended Form 8-K instead of Forms 10-Q and 10-K for domestic registrants, and on Form 6-K instead of Form 20-F for foreign private issuers.
• The SEC has omitted the proposed aggregation of immaterial incidents for materiality analyses.
• The SEC has streamlined the proposed disclosure elements related to risk management, strategy, and governance.
• The SEC is not adopting the proposed requirement to disclose board cybersecurity expertise.

Summary of the Requirements Being Adopted:

• Regulation S-K Item 106(b) – Risk management and strategy: Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
• Regulation S-K Item 106(c) – Governance: Registrants must describe the board’s oversight of risks from cybersecurity threats, as well as, describe management’s role in assessing and managing material risks from cybersecurity threats.
• Form 8-K Item 1.05 – Material Cybersecurity Incidents: Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

- Nature, scope, and timing; and

- Impact or reasonably likely impact.

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.

• Form 20-F: FPIs must: Describe the board’s oversight of risks from cybersecurity threats, as well as, describe management’s role in assessing and managing material risks from cybersecurity threats.
• Form 6-K: FPIs must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.

Important Dates to Consider:

• The final rules are effective 30 days after the final rule is added to the federal register.
• For Item 106 of Regulation S-K, all registrants must provide any such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
• For compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all registrants other than smaller reporting companies must begin complying on 90 days after publication in the federal register or December 18, 2023, whichever is later.
• Smaller reporting companies are being given an additional 180 days from the non-smaller reporting company compliance date before they must begin complying with Item 1.05 of Form 8-K. That date is 270 days after the date of publication in the federal register or June 15,2024, whichever is later.

2. U.S. Hunts Chinese Malware Threatening Military Operations

According to a recent New York Time article, the United States is on the hunt for Chinese malware that poses a significant threat to American military operations. According to American intelligence, military, and national security officials, the Biden administration believes that China has hidden malicious computer code within the networks that control power grids, communications systems, and water supplies feeding U.S. military bases both domestically and globally. This malware, believed to be the work of Chinese hackers likely affiliated with the People’s Liberation Army, has been dubbed a “ticking time bomb,” with the potential to disrupt or slow American military deployments, including in scenarios such as a Chinese move against Taiwan.

The discovery of this malware has set off intense concern in Washington. It has sparked a series of Situation Room meetings at the White House as officials strive to understand the full scope of the threat. Initial investigations reveal that the Chinese effort is more widespread than initially thought, and the effort to locate and eradicate the code has been underway for some time. What makes the situation particularly alarming is that the malware is embedded within infrastructure that often serves not only military bases but also residential and commercial areas. This means the impact could extend far beyond military disruption, potentially affecting the daily lives of ordinary Americans.

The public exposure of this malware operation comes at a highly charged moment in U.S.-China relations, characterized by technological competition and mutual accusations of cyber malfeasance. While previous Chinese cyber-activities focused on intelligence gathering, the newly discovered intrusions appear aimed at disruption. Some officials initially considered leaving the malware in place to monitor it but quickly rejected this option in favor of removing the threat. This approach, however, carries its risks, as removal might tip off Chinese hackers about U.S. detection capabilities, and some officials fear China could use similar techniques to re-infect military systems with even harder-to-detect software.

Whatever the path forward is, the discovery of Chinese malware within American infrastructure poses a complex and urgent challenge for the U.S. government. Beyond the immediate threat to military operations, the potential broader impact on civilian infrastructure underscores the evolving and sophisticated nature of cyber threats and their collateral damage. As the Biden administration continues to coordinate efforts to protect the country's critical infrastructure, this incident also underlines the necessity for international dialogue on cybersecurity norms and cooperation, particularly between global powers.

3. Call of Duty: Modern Warfare 2 Players Targeted by Self-Spreading Malware

Hackers have been infecting the systems of players of the popular 2009 game title, “Call of Duty: Modern Warfare 2” with a self-spreading worm, according to reports from players and a game industry insider. The infection seems to propagate automatically in online lobbies of the popular game, and was first reported by a user on a Steam forum on June 26. A certain user urged fellow players to run antivirus as they were under “attack using hacked lobbies.” Subsequent analysis by players indicated that the malware was indeed a worm, based on specific strings found inside it.

Activision, the publisher of Call of Duty: Modern Warfare 2, acknowledged the malware's existence, albeit vaguely, through an official tweet. The company announced that the game's multiplayer mode on Steam was brought offline while they investigate the issue. This malware's mechanism of infection is particularly concerning as it spreads through online lobbies automatically, jumping from one infected player to another. It is believed that the hackers must have discovered and exploited one or several bugs in the game to execute this malicious code on players' computers.

The exact purpose of the hackers in spreading this malware remains unclear, and it marks a concerning development in the gaming world. Typically, malware spread through video games has been restricted to trojanized versions of game installers or cheats. Call of Duty: Modern Warfare 2, despite being over a decade old, still retains a small community of around 600 online players, according to a gaming analytics website. Valve, which operates the Steam platform hosting the game, has not yet commented on the situation.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about