Shame on you, Cozy Bear. Domestic surveillance authority. Aviation cyber resilience. Working with CMMC. Beijing doesn’t like "historical…

At a glance.

NSA along with the FBI and Cybersecurity and Infrastructure Security Agency published a Cybersecurity Advisory warning that Russias Foreign Intelligence Service (SVR), also known as Cozy Bear, is actively exploiting five vulnerabilities in US and allies networks. The agencies urge immediate investigation and remediation, cautioning that Cozys favorite techniques include exploiting public-facing applications, leveraging external remote services, compromising supply chains, using valid accounts, exploiting software for credential access, and forging web credentials.

Meanwhile, the Biden Administration is preparing to formally attribute Holiday Bears supply chain gambit to the SVR, then in response to the campaign and other recent Russian misbehavior, expel ten diplomats and broaden financial sanctions via executive order, according to the Wall Street Journal. The order will strengthen current bans on trading in Russian government debt by barring U.S. financial institutions from buying new bonds directly from Russias central bank, finance ministry and the countrys massive sovereign-wealth fund after June 14. The announcement of this and other sanctions was made this morning from the White House.

Daniel Castro, Vice President of the Information Technology and Innovation Foundation, offered some early industry reaction to the measures announced today. He gives it generally favorable reviews:

"Today the United States hit reset on the nations cybersecurity policy. Bidens job is to make Putin and others realize the Trump era is over and there is a new sheriff in town. With todays announcement, hes off to a good start. The question is now whether the United States and its allies can consistently impose significant and proportionate costs on nations that engage in or support cyberattacks that undermine global security.

"The actions announced today will position the United States and its allies to be more prepared for future attacks. A key part of this strategy is better attribution to reliably identify the source of attacks. But it remains to be seen whether better attribution will cause Russia or China to change tactics. Put simply, a name and shame approach wont work on the shameless, and both Russia and China have brazenly engaged in state-backed cyberattacks in recent years.

"The Biden administration should hope for the best but prepare for the worst, including deploying offensive countermeasures to respond to future incidents of state-backed cyberattacks and expanding its investment in defensive cybersecurity technologies and capabilities."

FCW clarifies that NSA Director Nakasone is not, in his words at the Senate Intelligence Committee hearing on the Intelligence Communitys Annual Threat Assessment, seeking legal authorities either for NSA or for US Cyber Command in response to Cozy Bears gambol. Nakasone did not make clear, however, what remedy he is seeking to the oft-touted blind spots in domestic networks, though he did reiterate that private sector incentives stymie information sharing. FCW notes that the Directors responses seemed to frustrate lawmakers, who for months have pressedfor direct and expedient answers on how to prevent another intrusion.

Nextgovs impression was that improved public-private partnership was indeed the recommended solution. While lending support to breach notification regulation, Senator Wyden (Democrat of Oregon) countered that Federal agencies have work of their own to do first, since the intrusion also went undetected on fully visible Government networks.

The World Economic Forum and Deloitte bring us a report intended to establish cyber standards for the aviation sector. Pathways Towards a Cyber Resilient Aviation Industry suggests the following global, domestic, and organizational strategies:

The document marks aviations crucial role in vaccine transport and the accompanying risk of targeted cyberattacks.

National Defense addresses common CMMC questions. The Industrial Association cleared up the following: Vendors should feel free to ignore the word pilot. It refers to all CMMC contracts through 2026. Theres no public record of pathfinder contracts or scheduled assessments of Third Party Assessor Organizations. Processing time for Level Three compliance will hang on factors like size and present compliance.

Current contracts are not affected, only new or amended ones. Just one assessment is needed per organization. Compliance could be very expensive, and who should cover the costs is hotly debated. There are worries that the new requirements will be impossible for some organizations. Theres concern that vendors wont have time to review CMMC rules with subcontractors. Its not clear what will happen if subcontractors cant comply.

CMMC does cover foreign vendors, but any suppliers of commercial-off-the-shelf goods that manage no controlled unclassified information (CUI) neednt apply. CUI standards are less rigorous than those for confidential information. What counts as CUI is unclear: some think it must originate from the Government, others, that it can be developed down the line.

Reuters reports that the Cyberspace Administration of China has set up a tip line for residents to report online posts disparaging the CCP in the run up to the partys one hundredth anniversary this summer. Casting anyone who distorts history, insults leaders and heroes, or rejects the excellence of advanced socialist culture as historical nihilists, the regulator encouraged the public to actively play their part in supervising societyand enthusiastically report harmful information. Beijing typically ramps up censorship in advance of national occasions; critics risk jail time.

Link:
Shame on you, Cozy Bear. Domestic surveillance authority. Aviation cyber resilience. Working with CMMC. Beijing doesn't like "historical...