Log in links for this page

Cybersecurity Industry News - 2021

Stories and headlines collected from across the cybersecurity industry related to legislation, business, and big tech.

Table of Contents

October

Google AI department sued for using the health data of 1.6 million NHS patients 

PUBLISHED: Oct. 1, 2021 

A class-action lawsuit has been launched against DeepMind, the Google-owned AI research company, over its use of the personal records of 1.6 million patients from the UK's National Health Service. DeepMind was quietly given the records of patients at the Royal Free London NHS Foundation Trust. 

DeepMind said that it was using the data to create a potentially life-saving app called Streams. The app was designed to alert, diagnose, and detect when patients were at risk of developing acute kidney injury. It’s currently in the process of being decommissioned. 

The handing-over of patient records to one of the world's biggest technology companies was exposed by New Scientist in 2017, in a report showing that DeepMind had access to far more data than had been publicly announced. The UK Information Commission launched an investigation that ruled the Royal Free hospital hadn't done enough to protect patients' privacy: following which, DeepMind apologized. "Our investigation found a number of shortcomings in the way patient records were shared for this trial," Information Commissioner Elizabeth Denham said at the time. "Patients would not have reasonably expected their information to have been used in this way." 

The new case is being handled by law firm Mishcon de Reya on behalf of the lead plaintiff Andrew Prismall and the over 1.5 million other affected patients. 

The case is just one of a growing number of high-profile cases around data collection in recent years. In April, Anne Longfield, the former Children’s Commissioner for England, filed a case against TikTok on behalf of millions of UK children over how the app collected and used their data. 

Source: 

  • Artificial Intelligence News

 

Microsoft says it mitigated one of the largest DDoS attacks ever recorded 

PUBLISHED: Oct. 12, 2021 

Microsoft says it was able to mitigate a 2.4Tbps Distributed Denial-of-Service (DDoS) attack in August. The attack targeted an Azure customer in Europe and was 140 percent higher than the highest attack bandwidth volume Microsoft recorded in 2020. It also exceeds the peak traffic volume of 2.3Tbps directed at Amazon Web Services last year, though it was a smaller attack than the 2.54Tbps one Google mitigated in 2017. 

Microsoft says the attack lasted more than 10 minutes, with short-lived bursts of traffic that peaked at 2.4Tbps, 0.55Tbps, and finally 1.7Tbps. DDoS attacks are typically used to force websites or services offline, thanks to a flood of traffic that a web host can’t handle. They’re usually performed through a botnet, a network of machines that have been compromised using malware or malicious software to control them remotely. Azure was able to stay online throughout the attack, thanks to its ability to absorb tens of terabits of DDoS attacks. 

The attack is one of the biggest in recent memory. Last year, Google detailed a 2.54Tbps DDoS attack it mitigated in 2017, and Amazon Web Services (AWS) mitigated a 2.3Tbps attack. In 2018, NetScout Arbor fended off a 1.7Tbps attack. 

Source: 

  • The Verge

 

Hospital ransomware attacks now have deadly consequences 

PUBLISHED: Oct. 4, 2021 

A recent lawsuit filed against an Alabama hospital is alleging that a patient died because of a ransomware attack, a risk that cybersecurity experts have been warning about. 

The suit, first reported by The Wall Street Journal, says a baby died in April 2020 because of inadequate care given during a ransomware attack. 

While ransomware gangs have been targeting hospitals for several years, the issue has received renewed attention during the Covid-19 pandemic. A report last month from the Ponemon Institute found that 43 percent of healthcare organizations experienced a ransomware attack in the last two years, and among them, 70 percent faced delays in procedures and test results and 65 percent had to transfer patients more frequently. One in five also had increased mortality rates. 

The lawsuit puts the blame on Springhill Medical Center for not telling the then-expecting mother that it was dealing with a ransomware attack. Because the typical electronic monitoring systems were down, the mother is alleging that her doctors didn’t spot that her daughter’s umbilical cord was wrapped around the baby’s neck during delivery. 

Sources: 

  • Politico, Wall Street Journal

 

Statement by President Joe Biden on Cybersecurity Awareness Month 

PUBLISHED: Oct. 1, 2021 

Cyber threats can affect every American, every business regardless of size, and every community. That’s why my administration is marshalling a whole-of-nation effort to confront cyber threats. 
 
I am committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security. In May, I issued an executive order to modernize our defenses and position the Federal government to lead, rather than lag, in its own cybersecurity. By using the power of Federal technology spending, we are improving the software available for use to all Americans. Our 100-day action plan to improve cybersecurity across the electricity sector has already resulted in more than 150 utilities serving 90 million Americans committing to deploy cybersecurity technologies, and we are working to deploy action plans for additional critical infrastructure sectors. Both the public and private sectors have a role to play in strengthening cybersecurity, which is why we also issued a National Security Memorandum outlining the cybersecurity practices that responsible owners and operators of critical infrastructure should put in place and brought together leading American executives to expand public-private cooperation on cybersecurity. 
 
We are also partnering closely with nations around the world on these shared threats, including our NATO allies and G7 partners. This month, the United States will bring together 30 countries to accelerate our cooperation in combatting cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically. We are building a coalition of nations to advocate for and invest in trusted 5G technology and to better secure our supply chains. And, we are bringing the full strength of our capabilities to disrupt malicious cyber activity, including managing both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence. The Federal government needs the partnership of every American and every American company in these efforts. We must lock our digital doors — by encrypting our data and using multifactor authentication, for example—and we must build technology securely by design, enabling consumers to understand the risks in the technologies they buy. Because people – from those who build technology to those to deploy technology – are at the heart of our success. 
 
This October, even as we recognize how much work remains to be done and that maintaining strong cybersecurity practices is ongoing work, I am confident that the advancements we have put in place during the first months of my Administration will enable us to build back better – modernizing our defenses and securing the technology on which our enduring prosperity and our security rely. 
 
Source: 

White House Briefing Room

 

October is Cybersecurity Awareness Month 

PUBLISHED: Oct. 1, 2021 

Now in its 18th year, Cybersecurity Awareness Month—previously known as National Cybersecurity Awareness Month—continues to raise awareness about the importance of cybersecurity across our Nation, ensuring that all Americans have the resources they need to be safer and more secure online. 

This year’s theme, “Do Your Part. #BeCyberSmart.”, encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity. 

In 2021, CISA and NCSA will focus on the following areas in our promotions and outreach: 

  • Week of October 4 (Week 1): Be Cyber Smart. 

  • Week of October 11 (Week 2): Phight the Phish! 

  • Week of October 18 (Week 3): Explore. Experience. Share. – Cybersecurity Career Awareness Week 

  • Week of October 25 (Week 4): Cybersecurity First 

CISA encourages the use of the hashtag #BeCyberSmart before and during October to promote your involvement in raising cybersecurity awareness. 

During October, use CISA’s Cybersecurity Awareness Month Resources to help your stakeholders learn how to reduce their cybersecurity risks and protecting themselves online. Use these resources in your communities and share them with your stakeholders throughout the year to encourage strong, nationwide cybersecurity. These materials are free and may be modified to meet your needs. 

Source: 

  • CISA

September

Commission on breach liabilities hits roadblocks in Washington 

Sept. 20, 2021 

A Cyberspace Solarium Commission proposal to allow Americans to sue companies for cyber incidents resulting from product vulnerabilities is hitting a familiar dilemma in Washington: Is it better to punish companies for their shoddy practices or exempt them from liability to encourage information-sharing? Or can you do both? 

The proposal would make “final goods assemblers,” rather than intermediaries, liable for breaches and hacks resulting from known vulnerabilities. But skeptics of this approach say it’s still going to be difficult for Congress to determine which company should be open to lawsuits for a particular breach, or when that liability should apply. For example, how strenuously does a company have to try to alert its customers that a patch for a software flaw is available? 

Getting companies on board with the idea is a tough sell, especially when Congress has been using liability protections as a bargaining chip to get the private sector on board with other possible new cybersecurity measures. For instance, proposed breach-reporting mandates in both a Senate Intelligence Committee bill and a House Homeland Security draft would exempt those reports from liability to ease the industry’s nerves about sharing information about hacks and data breaches. 

Although there hasn’t been a huge public pushback to this proposal, the U.S. Chamber of Commerce, one of the most influential industry groups, still isn’t on board: Matthew Eggers, the group’s vice president of cybersecurity policy, told Eric it would prefer “not to impose liability.” 

Source: 

  • Politico

June

Cybersecurity for State Leaders brings cyber trainings to Massachusetts 

PUBLISHED: June 28, 2021 

On Tuesday, June 29th, Cybersecurity for State Leaders, a nationwide initiative led by the National Cybersecurity Center and supported by Google, will host a high-level cybersecurity briefing for state elected and appointed leaders and their staff. The briefing will educate state officials on the threat environment and arm them with best practices on how to avoid cyber attacks. 

“The threat posed to all levels of government by cyber attacks continues to increase year after year,” said Governor Charlie Baker. “Equipping government employees with the training and knowledge to assist in the fight against bad actors remains one of the best ways to improve the Commonwealth’s cybersecurity.” 

“End point user cybersecurity training is a vital component in improving the overall cybersecurity posture of state government,” said Secretary of Technology Services and Security Curtis M. Wood. “I thank the National Cybersecurity Center, Google, and our partners in the Legislature for their collaboration in providing this important training to the Commonwealth.” 

The briefing will also feature remarks by famed cybersecurity executive, Investor on ABC’s Shark Tank and founder and CEO of the Herjavec Group, Robert Herjavec, Chief People Hacker from IBM’s X-Force Red Team and Career White Hat Hacker Stephanie Carruthers, and senior experts and researchers from Google, Microsoft, and more. 

Register for the ON DEMAND Cybersecurity for State Leaders Training here at https://cyberforstateleaders.org/register-for-training/. 

For more information on Cybersecurity for State Leaders, visit https://cyberforstateleaders.org/. 

Source: 

  • Cybersecurity for State Leaders

April

Homeland Security Secretary backs call for mandatory disclosure of ransomware payments 

PUBLISHED: April 29, 2021 

The Department of Homeland Security will work with a private-sector think tank to implement a report of recommendations for slowing the scourge of ransomware, including one that would require victims to report when they give in and make a payment, according to DHS Secretary Alejandro Mayorkas. 

The report reflects the work of a ransomware task force convened by the Silicon Valley-based Institute for Security and Technology that included 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, academic institutions, cybersecurity insurers and international organizations, according to the document. 

“The task force's report provides a vision for what we can do to better address this urgent problem,” Mayorkas said. “DHS looks forward to working closely with the task force to turn its recommendations into action.” 

Last year saw an exponential increase in the number and size of ransomware payments entities—often schools, hospitals and other critical service providers and local governments—made to hackers who encrypt or threaten to publicly release their data unless they’re paid not to. 

Jen Ellis, a task force member and vice president of cybersecurity firm Rapid 7, stressed the importance of the recommendation to mandate the disclosure of payments so that law enforcement can have a better understanding of the threat and to discourage ransom payment. She said the information would be anonymized to prevent organizations from being “re-victimized.” 

Sources: 

  • Nextgov

 

Biden prepping cybersecurity executive order in response to SolarWinds attack 

PUBLISHED: April 29, 2021 

President Biden is preparing a cybersecurity executive order focused on helping the country protect itself from future cyberattacks following the sophisticated SolarWinds hack that was discovered in December. 

The order, which is still being drafted, lays out a series of new requirements for companies that do business with the government. The initiative includes plans for more systematic investigations of cyber events and standards for software development. The idea is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector. 

"So essentially, federal government procurement allows us to say, 'If you're doing business with the federal government, here's a set of things you need to comply with in order to do business with us,'" said Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House. 

The SolarWinds attack, believed to be perpetrated by Russian hackers, was discovered last year. The hackers exploited software from the IT group SolarWinds, which helped them gain access to as many as 18,000 customers. A smaller number of the customers' systems, however, were compromised by follow-on activity. 

As a result, nine federal agencies and 100 private-sector groups were compromised during the months-long operation. 

Sources: 

  • NPR, The Hill

 

Biden administration kicks off 100-day effort on to beef up cybersecurity of nation's power grid 

PUBLISHED: April 20, 2021 

The Biden administration kicked off a 100-day effort on Tuesday to beef up cybersecurity in the nation's power grid, calling for industry leaders to install technologies that could thwart attacks on the electricity supply. 

The plan, a joint effort between the Energy Department and the Cybersecurity and Infrastructure Security Agency, focuses on helping operators in the electricity industry modernize their security systems and implement new technologies to detect and mitigate threats. 

“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” Secretary of Energy Jennifer M. Granholm said in a statement. “It’s up to both government and industry to prevent possible harms — that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.” 

Recent attacks on SolarWinds and Microsoft Exchange software, both of which ensnared the electric industry, have renewed the urgency to modernize and secure America's electric grid. Some owners and operators still rely on decades-old equipment that was not designed with modern cybersecurity risks in mind. 

The new initiative follows criticism from some industry members that funding for grid security was snubbed in Biden's recent infrastructure package. 

Sources: 

  • Washington Post, Bloomberg

 

Defense Department kicks off pilot program to root out digital weaknesses in defense industry 

PUBLISHED: April 5, 2021 

The Pentagon’s Cyber Crime Center and bug bounty vendor HackerOne today launched an effort to share vulnerability data and boost digital hygiene within the defense industrial base, a frequent target for hackers that has been rocked by a number of high-profile breaches over the years. The Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) Pilot — started in collaboration with the Defense Counterintelligence and Security Agency — will invite security researchers to hunt for vulnerabilities in more than 100 DIB assets across several different organizations. 

The 12-month program aims to apply the lessons learned from the existing 28,000 reports made through the Pentagon’s Vulnerability Disclosure Program, which was established in 2016, to vendors and contractors within the DIB. The pilot program’s structure was informed by the Carnegie Mellon University’s Software Engineering Institute, which conducted a feasibility study ahead of the initiative. 

“To have a comprehensive view of where you're most vulnerable in order to protect against evolving threats, you need to remain open to vulnerability findings at all times. It's a best practice and a regulatory expectation,” HackerOne Co-founder Michiel Prins said in a statement. “With the DIB VDP, learnings from this best-in-class program can be extended to many of the government's most vital suppliers.” 

Source: 

  • Politico

February

Senate Intel Committee to conduct open hearing on SolarWinds Hack 

Feb. 23, 2021 

The Senate Intelligence Committee on Tuesday will hold the first public congressional hearing on the SolarWinds hack. The panel previously received a closed-door briefing about the incident from the NSA, the FBI, CISA and ODNI, and held an informal session with FireEye CEO Kevin Mandia, whose company discovered the compromise. 

The hearing will take place today, Tuesday, February 23rd at 2:30PM ET. 

Source: 

  • C-SPAN

January

President orders sweeping assessment of SolarWinds hack 

PUBLISHED: Jan. 21, 2021 

Senator Mark Warner, Democrat of Virginia, who will become the chairman of the Senate Intelligence Committee, said President Biden was ordering a broad new intelligence assessment on Russia, and, in particular, a better understanding of the SolarWinds hacking. 

Evidence amassed thus far suggests the perpetrators used their covert access chiefly to conduct espionage – an act all nations, the United States included, engage in. This would therefore limit the administration’s options for retaliation. 

“SolarWinds is one of the most sophisticated and deep hacks we’ve faced, and the president needs the best information he can get to not only lead the remediation of the penetration, but to understand how to prevent it in the future, and what actions might deter Russia going forward,” Mr. Warner said. 

President Biden’s order for the investigation of the SolarWinds hack – named for the Texas software company whose widely used IT monitoring and management tools were one way the hackers gained access – comes as intelligence officials have concluded that more than a thousand Russian software engineers were most likely involved in it, according to people involved in the investigation. This suggests the intrusion was a far larger, and stealthier, operation than first known. The intruders were active for a full nine months before cybersecurity firm FireEye and Microsoft Corporation alerted the government. 

Source: 

  • The New York Times

 

Malwarebytes becomes fourth major security firm targeted by SolarWinds hackers 

PUBLISHED: Jan. 19, 2021 

The creator of a popular anti-virus software, Malwarebytes, said on Tuesday that some of its emails were breached by the same hackers who used the software company SolarWinds to hack into a series of U.S. government agencies. This makes Malwarebytes the fourth major security firm, after Microsoft, FireEye, and CrowdStrike, to be targeted by this same group. 

Malwarebytes said the intrusion is unrelated to the SolarWinds supply chain incident since the company doesn't use any of SolarWinds software in its internal network but rather that hackers breached its internal systems by exploiting a dormant email protection product within its Office 365 and Microsoft Azure environments. The company confirmed the hackers were able to gain access to a “limited subset of internal company emails” but found no evidence of unauthorized access or compromise of its production environments. 

Mandiant, a cybersecurity research firm, recently released a report alleging the perpetrators behind the SolarWinds supply chain attack leveraged four separate techniques to bypass identity and access management protections and laterally move from victims’ on-premise networks to their cloud-based Microsoft 365 accounts. 

Sources: 

  • Reuters, FireEyeInc

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback