BOD 17-01 requires all federal executive branch departments and agencies to (1) identify the use or presence of “Kaspersky-branded products” on all federal information systems within 30 days of BOD issuance (i.e., by October 13); (2) develop and provide to DHS a detailed plan of action to remove and discontinue present and future use of all Kaspersky-branded products within 60 days of BOD issuance (i.e., by November 12); and (3) begin to implement the plan of action at 90 days after BOD issuance (i.e., December 12), unless directed otherwise by DHS in light of new information obtained by DHS, including but not limited to new information submitted by Kaspersky.
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) reviewed the Independent Assessment, titled Information Security Risks of Anti-Virus Software (hereafter “BRG Assessment”), prepared by Berkeley Research Group, LLC (BRG), and dated November 10, 2017. Kaspersky Lab (hereafter “Kaspersky”) submitted the BRG Assessment to DHS as an exhibit to Kaspersky’s request for DHS to initiate a review of Binding Operational Directive (BOD) 17-01. The BRG Assessment, in part, responds to the NCCIC Information Security Risk Assessment (hereafter “NCCIC Assessment”) on commercial off-the-shelf (COTS) anti-virus software and Kaspersky-branded products, dated August 29, 2017. The NCCIC Assessment was attached as Exhibit 1 to an Information Memorandum from the Assistant Secreta1Y for DHS Cybersecurity and Communications (CS&C) to the Acting Secretary of DHS, dated September 1, 2017 (hereafter “Information Memorandum”). This document is a Supplemental Information Security Risk Assessment and will similarly be attached to an Information Memorandum from the Assistant Secretary for CS&C to the Acting Secretary of DHS.
This assessment presents the inherent information security concerns and security ramifications associated with the use of any commercial-off-the-shelf (COTS) antivirus solution in devices with access to a federal network. It also addresses specific risks presented by Kaspersky-branded products, solutions, and services (collectively, “Kaspersky-branded products”).
This report examines the substantial economic costs that malicious cyber activity imposes on the U.S. economy. Cyber threats are ever-evolving and may come from sophisticated adversaries. Due to common vulnerabilities, instances of security breaches occur across firms and in patterns that are difficult to anticipate. Importantly, cyberattacks and cyber theft impose externalities that may lead to rational underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment. Firms in critical infrastructure sectors may generate especially large negative spillover effects to the wider economy. Insufficient data may impair cybersecurity efforts. Successful protection against cyber threats requires cooperation across firms and between private and public sectors.
Since April 2016, a loosely affiliated group of highly trained hackers calling themselves TheDarkOverlord (TDO) have conducted various extortion schemes with a recent focus on the public school system. TDO used remote access tools to breach school district networks and then proceeded to steal sensitive data. To extort money from its victims, including students, TDO threatened violence or the release of stolen sensitive data.
This document describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies. The primary focus of this policy is to prioritize the public’s interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy through the disclosure of vulnerabilities discovered by the USG, absent a demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes.
Personal information is increasingly distributed online by the media, the public, law enforcement agencies, and even law enforcement personnel themselves. It is imperative that law enforcement personnel understand the importance and consequences of their online activities and be proactive in monitoring and limiting their digital footprint. What may seem like an innocent upload or shared post can have a significant effect not only on law enforcement personnel but on their departments, families, and friends. Law enforcement should take the steps now to protect themselves and their family members before becoming a victim.
We assess with moderate confidence that cyber actors, including those who support violent extremism, are likely to continue targeting first responders on the World Wide Web, including by distributing personally identifiable information (PII) for the purpose of soliciting attacks from willing sympathizers in the homeland, hacking government websites, or attacking 911 phone systems to hinder first responders’ ability to respond to crises.
Artificial Intelligence (AI) is an emerging risk that will affect critical infrastructure (CI) as it becomes common throughout the United States. The purpose of this research paper is to analyze the narratives about AI to understand the prominence of perceived key benefits and threats from AI adoption and the resulting implications for infrastructure security and resilience. Narratives are strongly held beliefs, and understanding them will help decision makers mitigate potential consequences before they become significant problems.
FBI Cyber Bulletin: IP Addresses and Domains Used by Iran-Based Cyber Actors to Attack Victims Worldwide
The FBI assesses a group of malicious cyber actors—likely located in Iran—use Virtual Private Server infrastructure hosted in the United States to compromise government, corporate, and academic computer networks based in the Middle East, Europe and the United States. This infrastructure is used in conjunction with identified malicious domains to support a broad cyber campaign which likely includes the use of e-mail spear phishing, social engineering, and malicious Web sites (“watering hole attack”). These cyber actors almost certainly have been involved in this activity since at least early-2015.
The Mad Scientist 2050 Cyber Army project explored the visualization of the Army’s Cyber Force out to 2050 and its ability to address three major objectives of the Army’s Cyberspace Strategy for Unified Land Operations 2025: What does the cyber environment look like in 2040-2050 (how will cyber influence the environment and the population? What will connecting look like / what will they connect to? What are the drivers influencing this or not)? How do we build an Army Cyber Force that can dominate the cyber domain in the context of the multi-domain battle concept to gain a position of relative advantage? How can we build shared goals and expectations as well as develop an understanding of roles and responsibilities in order to build and maintain partnerships with U.S., and international academia, industry, defense departments/ministries and other agencies to enhance cyberspace operations? What new ideas should we be considering? Co-sponsored by the TRADOC G-2 and the Army Cyber Institute at the United States Military Academy, the 2050 Cyber Army project leveraged submitted papers, an on-line technology survey, and a 13-14 September Mad Scientist Conference that generated the insights synthesized in this report.
(U//FOUO) Orange County Fusion Center Bulletin: Criminal Use of E-mail Filters to Monitor and Divert Communications
FBI Cyber Bulletin: Individuals Threatening Distributed Denial of Service of Private-Sector Companies for Bitcoin
An individual or group claiming to be “Anonymous” or “Lizard Squad” sent extortion emails to private-sector companies threatening to conduct distributed denial of service (DDoS) attacks on their network unless they received an identified amount of Bitcoin. No victims to date have reported DDoS activity as a penalty for non-payment.
OCIA assesses that if specific industrial control systems (ICS) were successfully infected with ransomware, it could affect the ability of certain sectors to provide real-time management and control of large networks of geographically scattered equipment. Although security researchers have demonstrated the possibility of ransomware targeting control systems, OCIA assesses that such an attack is highly unlikely given the higher success rate against consumer and business systems, the likelihood that business and process control networks are segmented, and the ability for operators to take a control system out of service and employ manual overrides.
On May 12, 2017, organizations across the world reported ransomware infections impacting their computer systems. The infections, caused by a ransomware strain referred to as WannaCry, restricts users’ access to a computer and demands a ransom to unlock it. The U.S. Department of Justice defines ransomware as, a type of malicious software cyber actors use to deny access to systems or data until the ransom is paid. After the initial infection, ransomware attempts to spread through systems and networks.
Cloud services offer a number of benefits such as scalability, high availability, and decreased ownership cost. As a result, owners and operators in several critical infrastructure sectors such as Communications, Energy, Financial Services, Information Technology, and Transportation Services have migrated in-house computing resources to cloud infrastructures. However, cloud service environments still possess many of the same potential vulnerabilities associated with internally hosted environments, as well as additional exploits to virtual systems or networks. Owners and operators of critical infrastructure need to fully understand the risk environment as they address current cloud services and consider additional migration.
The Department of Homeland Security (DHS) assesses that given the high value of patient information and proprietary data on the black market, the Healthcare and Public Health Sector will continue to be one of the primary targets for malicious cyber actors. Stolen health data sells on the black market for more than 10 to 20 times the price of stolen credit card data. DHS assesses that growth in the medical device market over the next 4 years will result in more devices connected to the Internet, and an increase in the number of cyber-related incidents that target those devices. This is partly because manufacturers do not place enough emphasis on the security of medical devices.
With utilities in the U.S. and around the world increasingly moving toward smart grid technology and other upgrades with inherent cyber vulnerabilities, correlative threats from malicious cyber attacks on the North American electric grid continue to grow in frequency and sophistication. The potential for malicious actors to access and adversely affect physical electricity assets of U.S. electricity generation, transmission, or distribution systems via cyber means is a primary concern for utilities contributing to the bulk electric system. This paper seeks to illustrate the current cyber-physical landscape of the U.S. electric sector in the context of its vulnerabilities to cyber attacks, the likelihood of cyber attacks, and the impacts cyber events and threat actors can achieve on the power grid. In addition, this paper highlights utility perspectives, perceived challenges, and requests for assistance in addressing cyber threats to the electric sector.
An unidentified actor or actors between November 2016 and January 2017 targeted a US water and sewage authority’s network, resulting in excessive cellular charges and unusual traffic on ports 10000 and 9600, according to an FBI source with excellent access who spoke in confidence but whose reliability cannot be determined. The FBI source indicated that four of the seven devices on the authority’s cellular data plan were impacted with high data usage, which was likely a result of compromised network devices. The November 2016–December 2016 billing cycle totaled $45,000, and the December 2016–January 2017 billing cycle totaled $53,000.
FBI Cyber Bulletin: Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information
The FBI is aware of criminal actors who are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.
CI focuses on negating, mitigating, or degrading the foreign intelligence and security services (FISS) and international terrorist organizations (ITO) collection threat that targets Army interests through the conduct of investigations, operations, collection, analysis, production, and technical services and support.
This publication provides a guide for U.S. Army War College students to understand design, planning, and execution of cyberspace operations at combatant commands (CCMDs), joint task forces (JTFs), and joint functional component commands. It combines existing U.S. Government Unclassified and “Releasable to the Public” documents into a single guide.
Inspections and incidents across the Department of Defense (DoD) reveal a need to reinforce basic cybersecurity requirements identified in policies, directives, and orders. In agreement with the Secretary of Defense, the Deputy Secretary of Defense, and the Joint Chiefs of Staff, the DoD Chief Information Officer (CIO) identified key tasks needed to ensure those requirements are achieved. The DoD Cybersecurity Campaign reinforces the need to ensure Commanders and Supervisors at all levels, including the operational level, are accountable for key tasks, including those identified in this Implementation Plan. The Campaign does not relieve a Commander’s and Supervisor’s responsibility for compliance with other cybersecurity tasks identified in policies, directives, and orders, but limits the risk assumed by one Commander or Supervisor in key areas in order to reduce the risk to all other DoD missions.