Tag: Cybersecurity and Infrastructure Security Agency

Public Urged to Use Encryption for Mobile Phone Messaging and Calls

On December 4, 2024, four of the five members of the Five Eyes intelligence-sharing group (the United States, Australia, Canada, and New Zealand) law enforcement and cyber security agencies (Agencies) published a joint guide for network engineers, defenders of communications infrastructure and organizations with on-premises enterprise equipment (the Guide). The Agencies strongly encourage applying the Guide’s best practices to strengthen visibility and strengthen network devices against exploitation by reported hackers, including those hackers affiliated with the People’s Republic of China (PRC). The fifth group member, the United Kingdom, released a statement supportive of the joint guide but stated it had alternate methods of mitigating cyber risks for its telecom providers.

In November 2024, the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement to update the public on its investigation into the previously reported PRC-affiliated hacks on multiple telecommunications companies’ networks. The FBI and CISA reported that these hacks appeared to focus on cell phone activity of individuals involved in political or government activity and copies of law enforcement informational requests subject to court orders. However, at the time of the update, these U.S. agencies and members of Congress have underscored the broad and significant nature of this breach. At least one elected official stated that the hacks potentially expose unencrypted cell phone conversations with someone in America to the hackers.

In particular, the Guide recommends adopting actions that quickly identify anomalous behavior, vulnerabilities, and threats and respond to a cyber incident. It also guides telecoms and businesses to reduce existing vulnerabilities, improve secure configuration habits, and limit potential entry points. One of the Guide’s recommended best practices attracting media attention is ensuring that mobile phone messaging and call traffic is fully end-to-end encrypted to the maximum extent possible. Without fully end-to-end encrypted messaging and calls, the content of calls and messages always has the potential to be intercepted. Android to Android messaging and iPhone to iPhone messaging is fully end-to-end encrypted but messaging from an Android to an iPhone is not currently end-to-end encrypted. Google and Apple recommend using a fully encrypted messaging app to better protect the content of messages from hackers.

The FBI and CISA are continuing to investigate the hacks and will update the public as the investigation permits. In the interim, telecom providers and companies are encouraged to adopt the Guide’s best practices and to report any suspicious activity to their local FBI field office or the FBI’s Internet Crime Complaint Center. Cyber incidents may also be reported to CISA.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.
For more on Mobile Phones, visit the NLR Communications Media Internet section

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

© 2024 Winstead PC.
For more on HIPAA, visit the NLR Health Law Managed Care section

How a Zero-Day Flaw in MOVEit Led to a Global Ransomware Attack

In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.

The Intrusion

On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”

CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.

Wider Implications

The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.

This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.

Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.

The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.

Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.

A Flaw Too Many

The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.

Notification Requirements

This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.

A Call to Action

This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.

With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.

© 2023 Bradley Arant Boult Cummings LLP

For cybersecurity legal news, click here to visit the National Law Review.

Guarding the Grid: DOE Releases 100-Day Cybersecurity Pilot Program

The February 2021 hack into Oldsmar, Florida’s water treatment system is a frightening reminder that critical infrastructure systems can be vulnerable to cyberattacks and that cyberattacks can jeopardize health and safety. In this case, the hack may have spurred government action. On Tuesday, the Biden administration announced a 100-day plan “to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control of electric utilities.”

In a coordinated effort among the Department of Energy (“DOE”), the Cybersecurity and Infrastructure Security Agency (“CISA”), and the electricity industry, the plan lays out four areas of focus for the next 100 days: (1) enhancement of mechanisms for detection, mitigation, and forensic activities; (2) “concrete milestones” for the industry to develop “situational awareness and response capabilities in critical industrial control systems (ICS) and operational technology networks (OT)”; (3) reinforcement of overall cybersecurity in critical infrastructure information technology networks; and (4) voluntary industry participation programs “to deploy technologies to increase the visibility of threats in ICS and OT systems.”

The plan’s success likely hinges on the government’s ability to develop sustainable, cooperative relationships with the relevant industries. “Public-private partnership is paramount to the Administration’s efforts,” said National Security Council (“NSC”) Spokesperson Emily Horne in response to Tuesday’s announcement, “because protecting our Nation’s critical infrastructure is a shared responsibility of government and the owners and operators of that infrastructure.” It appears that similar plans are being developed for additional critical infrastructure industries, including water, the chemical sector, and natural gas.

The previous administration responded to the escalating threat of cyberattacks from foreign adversaries[1] in part with Executive Order 13920, which declared a national emergency with regard to electric grid security and gave the Secretary of Energy the authority to prohibit certain transactions involving electric equipment potentially controlled by a foreign adversary. Relying on EO 13920, the DOE issued a Prohibition Order in December 2020 barring “Critical Defense Facilities” and any supporting facilities from purchasing or installing electricity generation equipment manufactured in China (“December Prohibition Order”).

On January 20, 2021, President Biden’s DOE issued a 90-day suspension of EO 13920 and the December Prohibition Order to allow the DOE and the Office of Management and Budget to consider methods of “protect[ing] against high-risk electric equipment transactions by foreign adversaries while providing additional certainty to the utility industry and the public.” Tuesday’s announcement from the DOE revoked the December Prohibition Order, effective immediately, but EO 13920 will remain in place until it expires on May 1, 2021.

The DOE has now opted to revoke the December Prohibition Order in an effort to “create a stable policy environment” while the DOE further develops its cybersecurity strategy for the electricity sector. However, utilities are still encouraged to “act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence” while the DOE develops further recommendations.

To assist in cybersecurity strategy development, along with the DOE’s 100-day plan announcement, the DOE issued a Request for Information (“RFI”) “focused on preventing exploitation and attacks by foreign threats to the U.S. supply chain.” Interested parties are encouraged to submit input to the DOE by June 7, 2021 regarding the development of “a long-term strategy that includes technical assistance needs, supply chain risk management, procurement best practices, and risk mitigation criteria” as well as the “depth and breadth of a future prohibition authority.” Instructions for submitting comments can be found on the DOE’s website.

The DOE is still hammering out many details of the 100-day plan, and some details may never be released to the public – expansions of DOE’s Cyber Testing for Resilient Industrial Control Systems program, for example, will be classified to avoid oversharing with foreign intelligence. While the DOE works to develop its 100-day plan, utilities should evaluate cybersecurity infrastructure within their own systems. For example, utilities could make renewed efforts to take inventory of software and hardware used across any systems touching critical infrastructure, and ensure that all technology is secure and up to date. If defense, detection, and prevention systems do not meet the DOE’s suggested standards, a utility could consider implementing additional measures or strengthening current systems now.

Additionally, a utility could consider whether and how its organization might participate in an information-sharing program. Any thoughts regarding guardrails and disclosure limitations for such a program could be submitted as comments to the RFI. Also, a utility could consider how its current approach to communicating with internal and external stakeholders about cyber issues might impact participation in information sharing.

[1] The new 100-day plan comes not only in the wake of the Oldsmar water system hack but also just days after the administration announced sanctions against Russia for its role in the Solar Winds hack.

© 2021 Bracewell LLP

ARTICLE BY Philip J. Bezanson,  Claire E. Cahoon, Catherine P. McCarthy and Joshua C. Zive of  Bracewell LLP
For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.