Cybersecurity Strategy and Policy

• National Security Memorandum on Critical Infrastructure Security and Resilience – National Security Memorandum 22 (NSM-22) (The White House, April 30, 2024)
• Critical infrastructure blueprint gets long-awaited update but maintains status quo on key sectors (NextGov, April 30, 2024)
• DHS launches new AI safety and security board (Government Executive, April 29, 2024)
• White House’s plan to stop ransomware: block payments (Defense One, October 31, 2023)
• Banning TikTok Could Weaken Personal Cybersecurity (Government Executive, April 14, 2023)
• An Experiment Showed that the Military Must Change Its Cybersecurity Approach (Defense One, August 16, 2022): “The Defense Department’s current “checklist” approach can’t keep its networks safe.”
• House subcommittee approves $334 million funding bump for CISA (The Hill, June 16, 2022)
• Inglis Says He Won’t ‘Dictate’ Cyber Workforce Policy (Government Executive, April 6, 2022): “National Cyber Director Chris Inglis said that part of his job in the cybersecurity workforce arena will be ensuring that the roles of different agencies are coordinated.”
• EU Proposes Cybersecurity Rules for EU Bodies Amid Cyberattack Worries (US News and World Report, March 22, 2022)
• CISA Warns of Ransomware Gang, Issues Indicators of Compromise (NextGov, March 8, 2022): “Processes spurring from the Ragnar Locker Ransomware have affected at least 52 critical infrastructure victims since January, but will terminate if it encounters systems in certain Russian and near-Russian locations.”
• Climate tech needs cybersecurity (GreenBiz, October 13, 2021): “As the world transitions to renewable energy — and to an increasingly distributed grid — there’s a growing appreciation about the vulnerability of these systems. “Having a very forward-thinking security posture is going to be table stakes,” EIP partner Shawn Cherian told me when we chatted about the development last month. “As we poll our partners about priorities, security is almost one of the top three items.”
• Cybersecurity Shortcomings Exposed by the Pandemic (Helpnet Security, October 13, 2021): “SecureAge announced the release of its study which polled 200 employers and 400 employees from around the UK business world during Q3 2021, and examined key cybersecurity topics and trends.”
• Biden Signs School Cybersecurity Bill (NextGov, October 12, 2021): “The Cybersecurity and Infrastructure Security Agency will study the cyber risks facing elementary and secondary schools and develop recommendations to assist schools in facing those risks.”
• Spending the federal cybersecurity budget: what’s next? (FCW, September 27, 2021): “In 2020, cyberattacks against the U.S. government organizations cost $18.88 billion in recovery costs and downtime. In an effort to drive down this cost and improve our cybersecurity posture, this year the federal government has announced a number of initiatives, from the infrastructure bill to the Joint Cyber Defense Collaborative and White House Cybersecurity Summit.”
• We Must Reorient US Cyber Strategy Around the Only Safe Assumption (Defense One, 2/10/2021)
• Presidential Policy Directive (PPD) – 41: United States Cyber Incident Coordination (7/26/2016): “This Presidential Policy Directive (PPD) sets forth principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities. For significant cyber incidents, this PPD also establishes lead Federal agencies and an architecture for coordinating the broader Federal Government response. This PPD also requires the Departments of Justice and Homeland Security to maintain updated contact information for public use to assist entities affected by cyber incidents in reporting those incidents to the proper authorities.”

Cybersecurity Efforts

• Feds saw more cyberattacks but better detection last year, FISMA report says (NextGov, June 12, 2024)
• CISA Issues Directive for All Government Agencies to Cease Using IVANTI VPN Services (CISA, January 31, 2024)
• FBI says it’s shut down China Volt Typhoon infrastructure hacks (Washington Post, January 31, 2024)
• Chinese malware removed from SOHO routers after FBI issues covert commands (ARS Technica, January 31, 2024)
• US says it and partners have taken down notorious ‘Qakbot’ hacking network (Reuters, August 29, 2023)
• How the FBI hacked Hive (Politico, July 4, 2023)
• Cyber attacks set to become ‘uninsurable’, says Zurich chief (Irish Times, December 26, 2022)
• Perception vs reality: How to really prepare for ransomware (Venturebeat, December 25, 2022)
• House appropriators back more than $15 billion for cybersecurity (Rollcall, July 12, 2022): “The largest chunk of cybersecurity spending, $11.2 billion, would go to the Defense Department, followed by $2.9 billion for the Cybersecurity and Infrastructure Security Agency, or CISA.”
• Thanks to the economy, cybersecurity consolidation is coming. CISOs are more than ready. (Protocol, June 17, 2022)
• Biden warns Russian cyberattacks ‘coming’ (Politico, March 21, 2022): “The president tells companies to immediately harden defenses against potential Russian cyberattacks.”
• Secretary of Homeland Security issues cybersecurity preparedness statement (ABC, March 21, 2022)
• Hackers beware: Justice Department doubles down on efforts to thwart global cybercrime (USA Today, February 17, 2022)
• Feds Step Up Cybersecurity Support for State Governments (NextGov, January 4, 2022): “The Cybersecurity and Infrastructure Security Agency is actively working to help states strengthen their cybersecurity efforts by setting up a 50-state network of federal cybersecurity coordinators, one per state.”
• DISA Moves to Combat Intensifying Cyber Threats with Artificial Intelligence (NextGov, November 1, 2021): “The press event was associated with DISA’s Forecast to Industry and the release of its strategic plan for 2022 through 2024.”
• OMB Gives Agencies Three Months to Help CISA Monitor Networked Devices (NextGov, October 12, 2021): “Agencies face new deadlines to provide the Cybersecurity and Infrastructure Security Agency with access to any system they’ve implemented to track activity on devices that connect to federal networks or to get busy putting such a system in place, according to the Office of Management and Budget.”
• Cyber Insurance’s “Perfect Storm” (The Triple I Blog, September 14 ,2021): “Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.”

Interagency Cybersecurity Efforts

• DHS looks to harmonize cyber reporting for critical industry (NextGov, September 22, 2023)
• HHS looks to improve cybersecurity coordination (NextGov, September 8, 2023)
• CISA releases updated guidance for zero trust security architectures (FCW, April 11, 2023)
• Inside the international sting operation to catch North Korean crypto hackers (CNN, April 10, 2023)
• Coast Guard graduates first class of cyber majors (FCW, May 16, 2022): “A “handful” of newly minted cyber specialists will go to the Coast Guard’s Cyber Command headquarters for their initial assignment, the service’s chief told Congress last week.”
• State Department Announces First Bureau of Cyberspace and Digital Policy (NextGov, April 4, 2022): “The new office will work to advance foreign and domestic security through modernizations featuring new and emerging technology.”

Cybersecurity Risk

• Need to charge your phone? Think twice — ‘juice jackers’ might come for you (NPR, April 14, 2023): “The U.S. government is warning of the dangers of using public, free cellphone charging stations, such as airports, hotels and shopping centers. The FCC put out a statement, and local branches of the FBI are also expressing concern.”
• Forget the spy balloon. China-linked hackers collect far more information, report says. (NBC, February 28, 2023)
• North Korean hackers extorted health care organizations to fund further cyberattacks, US and South Korea say (CNN, February 9, 2023)
• Geopolitical Instability Is Increasing The Risk Of Catastrophic Cyber Attacks (The Innovator, January 25, 2023)
• Chinese hacking group targeting US agencies and companies has surged its activity, analysis finds (CNN, October 10, 2022)
• Hackers Use More Sophisticated Scams to Drive Costly Data Breaches, Analysis Finds (NextGov, July 25, 2022): “Criminals are using more sophisticated methods, including virtual meeting services, to take advantage of compromised business emails and accounts for financial gain.”
• Diabetes Patients Flood FDA with Comments on Cybersecurity for Medical Devices (NextGov, July 8, 2022)
• Quantum hacking is the next big cybersecurity threat. Here’s how companies should prepare for ‘Y2Q’ (Fortune, July 1, 2022): “Scary as that may sound, the past may have been merely the prologue.”
• CISA Director Details Growing Threat to Maritime Transportation Sector (NextGov, March 22, 2022)
• Gov. Hochul warns New Yorkers to beware of cyberattacks in growing Russia-Ukraine crisis (Gothamist, February 21, 2022)
• Despite years of preparation, Ukraine’s electric grid still an easy target for Russian hackers (Politico, February 19, 2022)
• US warns hundreds of millions of devices at risk from newly revealed software vulnerability (CNN, December 14, 2021)
• Utilities Face Growing Global Cyber Threat Landscape (NextGov, October 28, 2021): “A cybersecurity firm focused on industrial cybersecurity is tracking 15 groups, 11 of which are targeting utilities.”
• The next big cyberthreat isn’t ransomware. It’s killware. And it’s just as bad as it sounds (USA Today, October 13, 2021)
• Why Today’s Cybersecurity Threats are More Dangerous (CSO Online, October 4, 2021)
• Government Watchdog Finds Federal Cybersecurity has ‘Regressed’ in Recent Years (The Hill, 3/2/21) – Federal cybersecurity has “regressed” since 2019 due to factors including the lack of centralized cyber leadership at the White House, according to a Government Accountability Office (GAO) report. 

Cybersecurity Incidents

• GPS spoofing impacts thousands of commercial flights (MSN.com, September 24, 2024)
• US Capitol Hit by Massive Dark Web Cyber Attack: Reports (MSN.com, September 24, 2024)
• Cyberattack throws airport into chaos for fourth day in a row (MSN.Com, August 27, 2024)
• 2.9 billion records, including Social Security numbers, stolen in data hack: What to know (USA Today, August 17, 2024)
• AT&T says hackers stole 2022 call and text data from ‘nearly all’ cell customers (NPR, July 12, 2024)
• Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks (Ars Technica, April 24, 2024)
• Texas Hack May Be First Disruption of US Water System by Russia (Washington Post, April 17, 2024)
• Vacaville hospital turns away patients due to cyber incident, systems down (CBS News, April 2, 2024)
• Potential cyberattack against Pensacola knocks out non-emergency city phone system (Pensacola News Journal, March 18, 2024)
• Ransomware attack causes outages at 60 credit unions, federal agency says (CNN, December 4, 2023)
• Federal investigators confirm multiple US water utilities hit by hackers (CNN, December 1, 2023)
• Ransomware gang targeting defense firms, FBI warns (Defense One, September 21, 2023)
• Having a hard time finding Clorox wipes? Blame it on a cyberattack (NPR, September 20, 2023)
• China Sows Disinformation About Hawaii Fires Using New Techniques (New York Times, September 11, 2023)
• Meta Uncovers Largest-Ever Chinese Influence Network (Wall Street Journal, August 29, 2023): While not necessarily ‘hacking’, per se, this incident highlights the manner in which ICT can be leveraged with nefarious intent.
• Cyberattack disrupts hospital computer systems across US, hindering services (The Guardian, August 4, 2023)
• Cyberattack forces Idaho hospital to send ambulances elsewhere (CNN, May 31, 2023)
• A deadly fungus with mysterious origins is raising alarms (National Geographic, April 13, 2023)
• “Major” cyberattack compromised sensitive U.S. Marshals Service data (CBS, February 28, 2023)
• Could a parasitic fungus evolve to control humans? (National Geographic, January 19, 2023)
• Mystery hacker says 1 billion people exposed in ‘biggest hack in history’ (Yahoo Finance, July 4, 2022): “The 23 terabyte (TB) cache was allegedly stolen from the Shanghai police department and was advertised on hacking forums in the country.”
• ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks (Lumen, June 28, 2022)
• Costa Rica’s struggle amid ransomware attacks comes as a warning to other countries (Market Watch, June 17, 2022): “For two months now, Costa Rica has been reeling from unprecedented ransomware attacks disrupting everyday life in the Central American nation. It’s a situation raising questions about the United States’ role in protecting friendly nations from cyberattacks at a time when Russian-based criminal gangs are targeting less developed countries in ways that could have major global repercussions.”
• US Federal Agency Hit with Successful Cyberattack, Data Stolen (Threat Post, September 24, 2020)
• Chinese Hackers Targeted Internet-of-Things During Trump-Putin Summit (GovExec, July 19, 2018)

Infrastructure Cyber Risk

• National Security Memorandum on Critical Infrastructure Security and Resilience (White House Memorandum, April 30, 2024)
• 1 in every 13 bridges in America is in ‘poor’ condition. Thousands could collapse from a collision (CNN, March 30, 2024)
• White House, EPA warn water sector of cybersecurity threats (Cyberscoop, March 19, 2024): “The White House sent a stark warning to U.S. governors […] that “disabling” cyberattacks targeting water systems are occurring throughout the United States.”
• Cyberattack Threatens Release of Port of Lisbon Data (Maritime Executive, December 29, 2022)
• 2 men arrested for allegedly sabotaging 4 Washington state power substations on Christmas (ABC News, January 3, 2023)
• Website of all undersea internet cables
• Livestock Carrier Capsizes and Sinks, Killing 15,000 Sheep (Maritime Executive, June 12, 2022): This incident highlights the cascading infrastructure risks that can start with a single incident. In this case, the Port in Sudan is expected to experience supply chain issues and environmental impacts (caused by the decay of almost 16,000 sheep).
• A Hot, Deadly Summer Is Coming With Frequent Blackouts (Bloomberg, May 22, 2022)
• Despite years of preparation, Ukraine’s electric grid still an easy target for Russian hackers (Politico, February 19, 2022)
• America’s Power Grid Is Increasingly Unreliable (Wall Street Journal, February 18, 2022): “Large, sustained outages have occurred with increasing frequency in the U.S. over the past two decades, according to a Wall Street Journal review of federal data. In 2000, there were fewer than two dozen major disruptions, the data shows. In 2020, the number surpassed 180.”
• Electric grid is ‘attractive target’ for domestic violent extremists in US, intel brief says (CNN, January 25, 2022)
• Tonga’s volcano blast cut it off from the rest of the world. Here’s what it will take to get it reconnected (MIT Technology Review, January 18, 2022): “The world is anxiously awaiting news from the island—but on top of the physical destruction, the eruption has disconnected it from the internet.”
• Wintery Conditions Leave Thousands of Motorists Trapped on Highway For a Day (Route Fifty, January 4, 2022): “Drivers—including one U.S. senator—found themselves trapped in their cars in Virginia, some for more than 24 hours. But no deaths or injuries have been reported.”
• America’s Infrastructure Struggles With New Weather Forecast (Wall Street Journal, November 15, 2021): “Historically anomalous heat and rain have overwhelmed systems designed to withstand old meteorological patterns, and climatologists expect still worse with climate change.”

Cyber Activism / Terrorism

• ‘Lock it down right now’: Abortion rights advocates prepare for a new wave of digital security threats (Politico, June 17, 2022)

Cybercrime

• European Cybercrime Atlas (Portal, Static): “A knowledge management platform to map, categorize and stimulate collaboration between European cybersecurity experts in support of the EU Digital Strategy.”
• How did the auto dealer outage end? CDK almost certainly paid a $25 million ransom (CNN, July 11, 2024)
• Cybersecurity Specialist Kai Roer Discusses Cybercrime and Explains Security Culture (Grit Daily, July 1, 2022)
• Google Warns About Hacker-for-Hire Services Trying to Phish Users (PC Mag, June 30, 2022): “These hacker-for-hire services have been busy using fake messages from companies including Google to trick users into visiting their malicious websites.”
• 22 very bad stats on the growth of phishing, ransomware (Venture Beat, February 22, 2022)
• Ransomware victims are paying up. But then the gangs are coming back for more (ZDNet, February 22, 2022)
• FBI: Now scammers are using fake video meetings to steal your money (ZD Net, February 21, 2022)

Image Credit: Brij Kishore Pandey, Principal Engineer, ADP. Brij kishore Pandey | LinkedIn

Cyberwar

• Secret trove offers rare look into Russian cyberwar ambitions (Washington Post, March 30, 2023): “More than 5,000 pages of documents from a Moscow-based contractor offer unusual glimpses into planning and training for security services, including the notorious hacking group Sandworm.”
• 7 takeaways from the Vulkan Files investigation (Washington Post, March 30, 2023)
• Inside a US military cyber team’s defence of Ukraine (BBC, October 29, 2022)
• 6 historical threat patterns suggest that cyberwar could be inevitable (Venture Beat, July 1, 2022)
• Will Biden’s ‘Severe Costs’ on Russia Include Cyber Attacks? (Defense One, February 18, 2022)

Infrastructure Protection

• Critical Infrastructure Protection Wiki (European Union, STATIC)
• Why so many Florida gas stations are still out of gas (CNN, October 14, 2024)
• USPS employees in hurricane-ravaged areas deal with loss—and still make their deliveries (Government Executive, October 9, 2024)
• Nearly 2,000 Florida gas stations have run out of fuel. Hurricane Milton could cause even more trouble (CNN, October 9, 2024)
• Frustrations rise amid continued power outages in Houston after Beryl (Axios, July 11, 2024)
• The Growing Danger of Dams (Time, September 26, 2023)
• Animal-Related Power Failures (CyberSquirrel, STATIC): This now-defunct tracking of animal-related power outages shows the relative risk to the world’s power infrastructure from animals as compared to all other forms of disruption (other than major disaster events).
• A damaged file may have caused the outage in an FAA system, leading to travel chaos (NPR, January 11, 2023)
• Hackers beware: Justice Department doubles down on efforts to thwart global cybercrime (USA Today, February 17, 2022)
• Agencies Warn of Ongoing Cyber Threats to Water Treatment Facilities (NextGov, October 15, 2021)
• A Quarter of the Nation’s Critical Infrastructure Is at Risk of Flooding. It’s Going to Get Worse (Rolling Stone, October 11, 2021)
• OIG: CISA Must Update Plan for Critical Infrastructure Protection (MeriTalk, September 17, 2021): “In a new report, the OIG found that CISA isn’t able to demonstrate how its oversight has improved Dams Sector security and resilience due to inadequate management of Dams Sector activities. “
• What’s in the new infrastructure bill — and why it’s a big deal (Vox, July 29, 2021): ” The bill includes a lot of measures that will help current and future generations: a major expansion of high-speed internet; spending for roads, bridges, and public transit; and funding for clean drinking water. It would include new measures to combat climate change, including money for electric vehicles and modernizing the power grid.”
• DHS to issue new pipeline security regulations after Colonial attack (FCW, May 25, 2021): “The Biden Administration is taking further action to better secure our nation’s critical infrastructure. TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems. We will release additional details in the days ahead,” a DHS spokesperson told FCW on Tuesday.”
• Mission to Clean Up Space Junk with Magnets Set for Launch (CNN, March 19, 2021) – Space junk threatens the satellites that enable weather prediction, communication, navigation, and other aspects of US and global infrastructure. This mission is seeking to understand how such threats, which are increasing rapidly, can be addressed in the future.
• Suez Canal Interruption (March 2021)
  • How a Long Shutdown of the Suez Canal Might Roil the Global Economy (NPR, March 26, 2021): When the Ever Given container ship became stuck in the Suez Canal, a large component of the global supply chain become nonfunctional.
  • Piracy Fears Mount as Ships Take Long Way Around Africa to Avoid Blocked Suez Canal (Washington Post, March 26, 2021)

Special Issues

• Climate Change Is Killing Buildings in Slow Motion (Bloomberg, October 21, 2024)
• Utility Bills Rise as Americans Pay Off Storm-Recovery Costs for Decades to Come (Wall Street Journal, December 11, 2022)
• Internet outages point to web’s concentration of power (NBC News, December 16, 2021): “Outages at Amazon, Comcast and other internet services have caused widespread disruptions with global consequences, highlighting internet availability and reliability issues.”
• Flooding could shut down a quarter of all critical infrastructure in the U.S. (Axios, October 11, 2021): The new national inventory of flood risk during the next thirty years, which takes into account climate change-driven increases in sea levels and heavy precipitation events, is the first of its kind.
• Number of Objects in Low Earth Orbit Jumps 22% in 2 Years: Space Operations Command (Defense One, August 25, 2021): Mega constellations and other space-based objects pose a threat to satellites that many components of infrastructure rely on to function.

Organizations and Opportunities

• UNDRR PreventionWeb Critical Infrastructure Information Platform (STATIC)
• Coalition for Disaster Resilient Infrastructure (CDRI) Fellowship Programme – From the FEMA EMI Higher-Ed Newsletter: “CDRI is inviting applications for the CDRI Fellowship Programme 2022-23. The CDRI Fellowship Programme aims to promote research and innovation on Disaster Resilient Infrastructure (DRI). You may take a look at the projects of the current cohort here.

Infrastructure Funding / Grants

• Biden Signs $1 Trillion Infrastructure Bill Into Law (The Wall Street Journal, November 15, 2021)
• How the $1 Trillion Infrastructure Bill Aims to Affect Americans’ Lives (Wall Street Journal, November 6, 2021): “The legislation seeks to ensure fewer blackouts and cleaner water, but in some areas it might fall short of needed upgrades”