Merlin Labs Memo -- Week of March 6-10

Merlin Labs Memo -- Week of March 6-10

No alt text provided for this image

Biden-Harris Administration Releases National Cybersecurity Strategy

The new administration cybersecurity strategy opens with two key points: One, to shift the burden of cybersecurity from individuals, small businesses, and local government to organizations with better capabilities for dealing with risk. Two, to incentivize long-term investments in cybersecurity.

Our Take: To start, it’s been a long time coming to get the security burdens off of those least capable of understanding or dealing with security issues – who also just so happen to be the most frequent targets of breaches and compromises. 

And while the strategy does not explicitly mention cutting off Russian, Chinese, Iranian, and other hostile state actors off at the knees, it does imply that, in shifting cybersecurity burdens, we may one day have a firewall perimeter on traffic to and from adversarial nations, and possibly even some kind of threat analytics applied to internet traffic with locations known or suspected of having connections to adversarial nations. When the strategy mentions “robust public and private” collaborations, “strengthen norms of responsible state behavior”, and “hold countries accountable” that’s one thing that comes to mind.

The strategy also discusses disrupting criminal networks – are we entering an era of more intensive “hack-back” activity? Again, if that’s done by government resources with law enforcement and/or force projection authorization, then it spells out a much more hostile workspace for said criminal networks, whether or not they are connected to state actors. 

The strategy also takes domestic aim at firms that have been lax regarding personal data privacy, security, and usage. Not only theft of data, but misuse of it as well is mentioned as an area where we must do better. Beyond that, the language about incentivizing security could hint at accounting changes or other such non-IT maneuvers that would allow for us to no longer see cybersecurity as a money sink or the CISO as the executive in charge of taking the blame and getting fired. 

Expect the White House to both push for more federal funding for cybersecurity as well as more regulations, particularly on critical infrastructure. One area I liked quite a bit was in objective 3.3, where it described making software liability no longer dismissible with a click of an unreadable EULA. – Dean Webb

Additional Reading:


No alt text provided for this image

US RESTRICT Act – Another Effort Targeting Supply Chain Risk Management

The Risk Information and Communications Technology (RESTRICT) Act was endorsed on Tuesday March 7th by 12 senators from both sides of the political isle in a show of bipartisan support. The proposed legislation “is designed to empower the US administration to potentially ban foreign producers of electronics or software deemed a national security risk by the Commerce Department.” Matthew Marsden, vice president at Tanium weighed in by pointing out that we’ve “seen concerns increase in the West in recent months, with the use of Chinese surveillance technology being restricted. There have also been numerous reports of Chinese efforts to sway politicians by way of lobbying and donations, and the public via social media and the spread of disinformation.” From the White House statement on the matter: “This legislation would provide the U.S. government with new mechanisms to mitigate the national security risks posed by high-risk technology businesses operating in the United States.” The legislation will head to congress for review and if approved, will be sent to the President for signature. – Via: Infosecurity Magazine

Our Take: Anyone closely following recent governance and regulatory activities related to cybersecurity compliance won't be surprised by this latest move. Supply chain vulnerabilities have been the source of many recent high-profile breaches, and foreign entities have been gathering data as well as inserting data through technology both subtly and not-so subtly into our nation’s social and political commentaries. This contributes to traditional cyber breaches as well as the dissemination of misinformation and divisive content meant to divide and weaken. Look no further than the very popular TikTok app, which collects loads of data on its users (including what is shared AND what is created but not shared) giving its Chinese owners tremendous insight and intelligence into our “private” interactions and personal information, including detailed narratives fueling our national conversations. Simply by using the app, we are unwittingly handing this valuable information over to foreign countries and opening the door for that data to be used against us in traditional phishing types of attacks or disinformation campaigns. Either can have severe consequences. Executive Order 14028 on Improving the Nation's Cybersecurity, the White House's National Cybersecurity Strategy, NIST 800-53 rev 5, the FedRAMP Authorization Act and the imminent adoption of FedRAMP rev 5 baselines all directly and/or indirectly call out the need to mitigate supply chain risk and risk associated with malicious and/or state-sponsored threat actors. One very natural approach to limiting this risk is to take this type of highly intentional approach to analyzing and addressing hardware and software from high-risk sources that are found to have questionable elements, and fully banning technology that possesses suspected or known threats. What does that mean for today's cybersecurity teams and what do we do in the meantime? Whether or not this act results in a passed and signed bill, the threat is real. Supply chain risk management stopped being a nice-to-have long ago and should be embraced as an essential element of any organization's cybersecurity program. – Sarah Hensley

Additional Reading:


No alt text provided for this image

Chat GPT and Sensitive Information

ChatGPT is popular, no question about that. Its ability to automatically generate content is more than just a pain in the neck for teachers, however. We now have examples of doctors using patient information with Chat GPT to generate letters for insurance providers. One executive has taken confidential documents to ChatGPT to get it to generate a PowerPoint presentation from the information, and he may not have been the only one to do so. 

Not only does this mean that confidential information has crossed out of the bounds it was supposed to stay in, it also means that clever attackers can send prompts to ChatGPT to have it recall the information submitted to it and get access to those materials. 

Our Take: We need to have a chat about ChatGPT. It’s a fun tool that’s already begun to replace people in generating documentation. But it’s also capable of letting bad people get at information submitted by people who weren’t thinking about security as they copied and pasted. While we can create training about how not to abuse the service, we’re going to have to step up our game in automating the protections at the browser edge.

That’s where this battle is being fought. The same percentage of people who seem to be immune to phishing awareness training is also responsible for over 80% of the sensitive data incidents with ChatGPT. That’s right, one percent. Rather than trying to pre-emptively identify and terminate that one percent, the simpler solution to me would be to roll out a hardened browser that can check pasted information for confidentiality and then permit or deny based on that in-time assessment. Hardened browsers are already an idea whose time has come, but AI has made the need for that tool all the more urgent. – Dean Webb

Additional Reading:


No alt text provided for this image

Cyberspace has Matured Into a True Cyber Warfare – Have We Met the Challenge?

“The Russia-Ukraine war has shattered the digital wall that often separated the government’s cyber experts from the private sector, forcing a new level of transparency on potential threats and engagement on geopolitical crises. “ – Via: The Hill

“2022 will be remembered as the year that the Russian invasion of Ukraine changed the narrative around cybersecurity in numerous ways” – Via: GovTech

Our Take: The War in Ukraine has brought cyberspace fully into the forefront of US politics, war planning, and commercial organizations current and future planning. The direct example of how it can now be leveraged by a hostile nation state in an active war has made it critical. At Merlin Cyber, we work entirely with government clients, and there is never a conversation around architecture and planning that does not include nation state threat actors.

While the effects of the war on the people of Ukraine is horrific, the impact on the Cyber security front have been dramatic and largely to the good. Spending has shifted from the cheapest solution to what is the best solution, planning has shifted from the needs of the yesterday to planning at a strategic level  meeting current and future needs.

Cyber hygiene is truly having its moment during this conflict, as CVE’s are regularly exploited to maximum effect in order to cause havoc across the Russian and Ukrainian cyber-scape. Organizations have embraced the concept that vulnerabilities are important rather than simply a nuisance to get a waiver for. Vulnerabilities in enterprise solutions such  as Log4j, VMware hypervisor, and IOT devices have proven that even long time deployed software packages can have significantly outsized effect on the security of an environment.

The question of "Have we met the challenge?" must be answered with "Sort of" . While as an industry we have made huge strides in the last year both in protection and visibility, we have far to go before secure development process, visibility and active remediation are the norm rather than the exception. We are getting closer, and there is improvement, but the light at the end of the tunnel is still more likely to be the train.  – Jeremy Newberry

Additional Reading:


Readers of our Newsletter: What’s working, what’s not, and what’s on your mind? Leave a comment below or email labs@merlincyber.com. Thank you!  

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics