ICD Brief 73.
This week’s ICD Brief brings you a cyber reorganization at the US State Department, details on China’s Personal information Security Specification and compliance, CISCO and Apple partner with AON and ALLIANZ on cyber risk, crypto-crime and a summary of new international laws and investments in securing the global critical infrastructures from the US to the Ukraine. We close with Forbes contributor Constance Douris’ detailed description of potential consequences from a successful cyber assault on the US Electric Grid.
We lead with four headlines.
- Just in: Hackers hijack government websites to mine crypto-cash (UK)
- China Issues Personal Information Security Specification
- US Energy Secretary: Cybersecurity a Priority for Electrical Grid, Nuclear Facilities
- Cisco and Apple Partner with Insurance Companies on Cybersecurity
The Information Commissioner’s Office (ICO) took down its website after a warning that hackers were taking control of visitors’ computers to mine cryptocurrency.
Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected.
“Secretary of State Rex Tillerson announced his plans for another restructuring within the State Department’s cybersecurity offices, but lawmakers, including the Republican chairmen of the House Foreign Affairs and Homeland Security committees, are pushing back and moving forward with a bill they say would better position an embattled cyber role within the department’s hierarchy.”
Christopher Krebs, acting undersecretary of the Department of Homeland Security‘s National Protection and Programs Directorate, has been nominated by President Donald Trump to lead NPPD on a full-time basis.
“During a recent tour of the Savannah River nuclear site and the Savannah River National Laboratory, U.S. Energy Secretary Rick Perry discussed the challenges of protecting facilities and infrastructure from cyberattacks.”
“Cyber activists may take advantage of the large audience to spread their message. Cyber criminals may attempt to steal personally identifiable information or harvest users’ credentials for financial gain.”
“US authorities have indicted 36 people for stealing more than $530 million from victims across the world in one of the “largest cyberfraud enterprises ever prosecuted.”
“The Australian government is increasingly concerned about the blurring of state and non-state activity, that certain states have used third-party criminal groups to mask their cyber-based activity, a joint parliamentary committee has heard.”
“Children as young as four will now be trained in cybersecurity due to concerns they are at risk of being targeted online by child sex offenders.”
“The second Vienna Cyber Security Week (VCSW) held from 29 January to 2 February 2018 brought together representatives from public authorities, governments and organisations, including the International Telecommunications Union (ITU), the International Atomic Energy Authority (IAEA) and the Organization for Security and Co-operation in Europe (OSCE) for an international dialogue on the security of critical digital infrastructures.”
“On 29 December 2017 the Standardization Administration of China issued an Information Security Technology – Personal Information Security Specification（GB/T 35273-2017） (the “Specification”), which will come into effect on 1 May 2018. Such requirements give rise to significant compliance issues for business operations in China.”
“Cybersecurity has been made the number one priority in a Fintech Action Plan presented by the European Union, aiming to improve collaboration between participants and regulators. The increasingly dangerous threat landscape poses perhaps the greatest threat to the financial services of all industries, facing an unparalleled density of attacks.”
“The European Commission is to explore broader EU-level uses of blockchain beyond its original role in the oversight of cryptocurrencies and is looking at the potential of the secure records management software to handle sensitive data passing between member states more efficiently and securely.”
“The digitalization of the energy and infrastructure field in recent years has made it more vulnerable to cyber threats. Providing cybersecurity to critical infrastructure and energy installations has become a major task, as attacks on the computerized systems of these installations might result in severe physical damages.”
“Crossed Swords 2018, the technical red teaming cyber defence exercise of the NATO Cooperative Cyber Defence Centre of Excellence, took place last week in Latvia in cooperation with CERT.LV. This year the exercise expanded considerably in scope and complexity, covering several geographical areas, involving critical information infrastructure providers and cyber-kinetic engagement of military units.”
“There’s a new cyberpower in the world. Last month, Dutch reporters from Nieuwsuur and de Volkskrant revealed that in mid-2014 the Dutch Joint Sigint Cyber Unit (JSCU) infiltrated the computer networks of the infamous Russian hacker group “Cozy Bear.”
“The Cybersecurity Act (87-page / 251KB PDF) will apply to organisations that are designated as operating ‘critical information infrastructure’ (CII) in Singapore. Organisations in the energy, telecoms, water, health, banking, transport and media sectors are among those that could be impacted.”
“South Korea on Saturday investigated a mysterious internet shutdown during the Winter Olympics opening ceremony, which follows warnings of possible cyberattacks during the Pyeongchang Games.”
“Ukraine’s state-run power distributor Ukrenergo, a leading target for cyber attacks in the past two years, will invest up to $20 million in a new cyber defense system, its chief executive said on Tuesday. In June 2017 Ukrenergo appeared to be an early victim of a cyber attack that began in Ukraine and spread around the world, knocking out thousands of machines, shutting down ports, factories and offices in around 60 countries.”
“The results of the UK government’s new bold approach to tackling cyber crime are detailed in ‘Active Cyber Defence – One Year On’, a comprehensive summary compiled by the NCSC’s Technical Director Dr Ian Levy.
“Every single one of the 200 NHS trusts in the UK so far assessed for cyber security resilience has failed an on-site assessment, MPs on the Public Accounts Committee were told yesterday.”
“A study released today by specialist insurer Hiscox revealed that nearly three-quarters (73%) of firms face major shortcomings in cyber security readiness.”
“Tech companies Cisco and Apple, and insurance firms Aon and Allianz have unveiled a new cyber risk management solution for US businesses.”
Constance Douris – Forbes
“If a mass power outage were to result from a successful cyberattack on the electric grid, national security and economic stability would be threatened. This is because hospitals, banks, factories, pipelines, financial networks, water systems, telecommunications and military bases would simply not function without electricity.”