North Korean WannaCry Ignites Government-Industry Collective Defense



In a Monday Wall Street Journal op-ed Thomas P. Bossert, Trump’s homeland security adviser, declared “[t]he [WannaCry] attack was widespread and cost billions, and North Korea is directly responsible.” The findings are based on evidence says Bossert, and he is backed up by UK and Microsoft.

A Washington Post Bossert quote ratchets up the call for closer government-industry cyberdefenses. “[S]ome say that defending cyberspace is impossible and that hackers are inevitable. I disagree. . . . Government and industry must work together, now more than ever, if we are serious.”

Today, US and UK officials suggested it was highly likely the Lazarus Group was backed by the North Korean government. Facebook deleted accounts associated with Lazarus last week “to make it harder for them to conduct their activities,” reports The Guardian,  Facebook announced it acted with Microsoft “and other members of the security community” to disrupt the group’s activities.

A few hours ago Axious reports that the Department of Homeland Security (DHS) plans on intervening in U.S. company cybersecurity issues when necessary.

“The Department of Homeland Security is now calling on all companies to commit to U.S. collective defense, per Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS. But Bossert wouldn’t go so far as to say that an attack on a U.S. company constitutes an attack on the country.

DHS plans to move beyond offering voluntary assistance on cybersecurity issues and instead plans on intervening directly when necessary, per Manfra.”

Watch for much closer public-private actions to combat state-actor cyberattacks. 

Public Sector Brings New Cybersecurity Tech to Market

Hacker image
Here’s follow-up on a recent blog on emerging public and private sector roles in protecting against state-actor corporate cyberattacks.

Did you hear about the Department of Homeland Security Science and Technology Directorate’s commercialization of another Transition to Practice program technology?

The new industrial control systems cybersecurity solution — called SerialTap — passively taps serial-line communication data for use with enterprise cybersecurity incident and event management systems to improve situational awareness during an event. SerialTap integrates with legacy IT enterprise security solutions and industrial control systems used by critical infrastructure sectors.

The SerialTap announcement came during Critical Infrastructure Security and Resilience Month, which aimed at building awareness of the importance of critical infrastructure, and reaffirming “the nationwide commitment to keep our critical infrastructure and our communities safe and secure.”

Good to see the public sector sharing new technology to improve cybersecurity incident response.


Whose Job is it to Protect Corporate Data Stores from State Actor Cyberattacks?


It’s hard not to notice, that constant breach of data under corporate care has become our new normal. Headlines seem almost redundant — another data breach revealed, some very tardy.  In this barrage of breach announcements, we hear more about state-actors originating cyberattacks on corporate data stores. So, whose job is it to protect against foreign state attacks on corporate data stores?

“As we all have witnessed: no company, individual or even government agency is immune from these [cyber] threats.” So said Marisa Mayer, former Yahoo CEO, during her November Senate testimony on the Yahoo breach. Despite years of heading off may cyberintrusions and leveraging white hackers to test their defenses, Mayer says Yahoo still does not know exactly how “Russian agents intruded on our systems and stole our users’ data.”

Last year, North Korean hackers almost succeeded in stealing $1 billion from the New York Federal Reserve, after hacking into the Bangladesh Central Bank. The misspelling of “foundation” as “fandation” is the only thing that stopped the heist.  Let’s not forget,  Pyongyang Sony Pictures hack to stop release of an unflattering movie.

In 2011, North Korea’s leader Kim Jong-un started investing beyond cyberattack prowess for warfare, with a new focus on training hackers for theft, harassment and political-score settling. Researchers believe that 1/5th of Pyonyang cyberattacks originate from their hackers stationed in India, while other attacks are routed through Malaysia, Nepal, New Zealand and other countries.

“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” said Senator Nelson during the Yahoo hearing. The Senate committee chairman, added that the patchwork of state regulations on breach notifications must be replaced with a federal law.

On another front, the SEC plans to update its cybersecurity guidance for publicly traded companies, after the Equifax fiasco. Equifax discovered the attack in July but waited until September to inform shareholders. During that window, Equifax executives sold company stock. A company investigation exonerated them. A senior SEC regulator wants  faster cyber intrusion notices to investors, and revision of post-breach insider trading policies.

Is federal cyber-regulation of the private sector the answer?

In a Friday the 13th London speech, DOJ’s Rod Rosenstein said law enforcement’s  goal is to disrupt and deter future attacks, and punish cybercriminals. The Deputy Attorney General observed that “foreign criminals regularly break into systems to steal ideas that make our nation strong and competitive in the global marketplace.” Rosenstein recommends corporations immediately tell law enforcement when they discover a breach, in part so the company can gain access to sophisticated government tools.

What is law enforcement doing to head off these attacks before they happen?
Is Homeland Security doing enough to help corporations protect data from cyberattacks?

Ransomware attacks sure got corporate security folks’ attention this summer. WannaCry and NotPetya wreaked havoc on companies from FedEx to Merck.

SC Magazine places heaps of blame on the National Security Agency (NSA) for the  these  attacks. The NSA originally discovered the Microsoft security vulnerabilities, didn’t tell anyone and let their own hacking tools for the flaws get stolen by cybercriminals.

If the NSA can be hacked, how can corporations fend off nation-state and sophisticated hackers?

Then there’s the ultimate economic cyberattack —  where a nation-state aims to shut down the power supply or scramble bank records with a cyberattack. The NotPetya  attack gripped Ukraine’s power grid this summer. Ukraine claims Russia was behind this cyberwarfare.

Wired reports that the NotPetya October follow-on, “Black Rabbit attack” — locked hundreds of machines and hampered critical infrastructure in Russia, Ukraine, Germany and Turkey — may raise doubts about Russian involvement in NotPetya. Though one of the cybersecurity firms commenting on the situation is under F.B.I. investigation for links to  Russian intelligence.

Is this a spy novel or what?

These massive destructive attacks on critical infrastructure and data manipulation worry the head of the US National Security Agency (NSA), Admiral Michael Rogers. Let’s remember that a vast swath of US critical infrastructure is run by the private sector.

How will we protect corporate data stores from nation-state and rogue cyberwarfare, let alone run-of-the-mill profit-seeking hackers?

Isn’t the private sector’s job commerce and innovation? Yet in the digital economy, corporations must also be extremely sophisticated data security companies. After all, they leverage our personal data for profit, right?

The European Union’s  GDPR is about to usher in massive corporate liability for data privacy.  Though “cybersecurity,” a major data breach threat, is not mentioned in the regulation.

Does the government need to take a wider role in combating state-actor cyber attacks on corporate data? What new public-private models are needed to protect corporate data stores? Whose job is it to protect against state-actor cyberattacks on the private sector?

Food for thought.