New SEC cyber rules are about to go into effect. Expect some bumps. | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Welcome to The Cybersecurity 202! This is your periodic reminder to send news tips to me at

Was this forwarded to you? Sign up here.

Below: A China-linked botnet is breaching security cameras, and the FCC votes to update its data breach rules. First:

SEC cyber rules make their debut this week, challenging publicly traded companies

The next two weekdays, tomorrow and Monday, bring an important couple of dates for publicly traded companies: It’s when a set of contentious Securities and Exchange Commission cybersecurity rules kick in. And experts expect some real challenges for organizations that have to comply.

The regulations, which have drawn fire from industry groups and Hill Republicans despite attempts by the SEC to ease concerns about the rules, are coming into effect in stages.

  • Tomorrow, for public companies whose fiscal years end on or after Dec. 15, they’ll have to describe in their annual reports to the SEC what kind of processes they’ve put in place to evaluate and manage the risks of cyberthreats.
  • Then, starting on Dec. 18, public companies that aren’t of the smaller variety will have to disclose cybersecurity incidents to the SEC within four days of the company determining that they would be severe enough to be deemed important by potential investors. (Smaller companies get more time to fall in line.)

The rules are set to kick in shortly after the Department of Justice released guidelines on Tuesday about how companies could ask for temporary exemptions on disclosing major cyber incidents where they believe that doing so would harm national security.

Some experts told me that one of the hardest things companies have had to do in getting ready for the onset of the rules is determining when an incident is “material”; that is, important to investors.

“It’s a challenge,” Naj Adib, a principal in Deloitte & Touche’s cyber and strategic risk practice who has been advising companies on the regulations, told me. “Materiality considerations for things that are subjective are hard in general.”

Drew Bagley, vice president and counsel of privacy and cyber policy at the cybersecurity firm CrowdStrike, told me “the hardest part is, how are you going to make a materiality determination?” There will be incidents that, when they begin, will look like they meet that standard, only to find out later that the attack wasn’t as severe as it looked — or vice versa. And materiality will vary from company to company, he said. “It’s going to be different for every organization,” he told me.

One key to getting those determinations right is assembling a committee or council that‘s ready to make decisions for when incidents happen, said Adib and Bagley. That means getting the legal side of the company, the business side and the technical side together.

The components of the rules that aren’t focused on incident reporting aren’t getting enough attention either, Bagley said.

There’s little doubt companies are clued in to the need to take action, Adib said. “I get the sense that most organizations are focused on this,” he said. People are paying attention.”

The question is whether they’ll be ready in time. “I think you’re going to have probably most organizations playing catch-up in terms of figuring out how to do this initial structure,” Bagley told me.

The DOJ guidelines on when a publicly traded company can seek an exemption from immediately reporting a material cyber incident emphasize a couple of main points:

  • The department wouldn’t grant an exemption if the attack itself harms national security or public safety — rather, whether disclosure of the attack would do so.
  • The kinds of incidents that could lead to an exemption include those for which there isn’t a widely known solution yet and could lead to more attacks; when the victim holds a significant amount of sensitive government information; when the company is working to remediate a critical infrastructure attack and disclosure could undermine that remediation; and when a government agency has alerted a victim about an attack and disclosure could reveal sensitive information about the government’s efforts to combat it.  

While the DOJ had signaled some of its plans on the national security exemption, a few things are noteworthy about them, said Adam Hickey, the former deputy assistant attorney general of the department’s National Security Division. 

One of the interesting elements is that government agencies can seek an extension with the victim’s consent, Hickey, now a partner at Mayer Brown, told me. He also said the guidance provided some insight into how companies should time their work on any requests — namely, before they make a determination of materiality.

Senior Justice Department officials who spoke to reporters on the condition of anonymity under ground rules set by the department said on Wednesday that a few top law enforcement officials will be responsible for deciding which cases do not have to be immediately made public. They said they do not expect that many incidents will qualify for an exception.

They also said they do not know how many companies will apply for such a delay, but that they expect only “a limited number of circumstances that can pose a danger to national security” that would justify the rare use of the exception. 

Hickey said rare DOJ approval of an exemption made sense. “The department is going to be very reluctant to put itself between a registrant and information the market would otherwise be entitled to,” he said. “That is taking on a significant responsibility, and I don’t think the department’s going to want to be in that position very often.”

And Hickey said he also doesn’t expect many companies will apply for exceptions, citing his time at the FBI when companies could seek similar exceptions to state data breach reporting laws and how rare it was for companies to do so.

Perry Stein contributed reporting to this story.

China-linked botnet hacking commercial, home security cameras as ‘hop points’ to victims

A botnet likely operated by Chinese state-sponsored hackers is gaining access to commercial and home security cameras, as well as internet routers and firewalls, according to research out Wednesday from Black Lotus Labs, Lumen’s threat research and intelligence group.

The botnet, which the researchers call “the KV-botnet,” has been active since at least February of last year but has noticeably increased activity in recent weeks. 

The botnet has historically relied on end-of-life products from major U.S. manufacturers like Netgear and Cisco to enable hackers to hide their tracks as they seek to compromise their intended victim. Such hackers include the Volt Typhoon cyber campaign, which our colleagues Ellen Nakashima and Joseph Menn reported this week was affiliated with China’s People’s Liberation Army.

The botnet, in particular, also targeted IP cameras made by Axis in late November, and has also targeted some 170 ProSAFE firewalls manufactured by Netgear as recently as Dec. 5. Some of those targets in possession of ProSAFE routers included a U.S. judicial organization and U.S. libraries, according to Lumen Principal Information Security Engineer Danny Adamitis.

Adamitis added that the researchers do not have perfect visibility into where the specific Axis cameras were located but that around 50 were targeted and were likely being used as a hop point for the botnet. 

  • The botnet was also used against several organizations in Guam, including telecoms and an internet service provider, according to the analysis. It also latched onto a renewable energy organization in Europe this month.
  • KV is “out there creating a network” using a “huge pool of machines” that are enabling both its own hacking activities and the activities of other hacking groups to occur, Lumen Lead Information Security Engineer Ryan English told The Cybersecurity 202.
  • The uptick in operations in recent weeks has been linked to holiday season activity, when many disconnect for vacation time or attend parties, Lumen estimates.

Heat map data and other analysis from the group indicates that KV is likely being used during Chinese business hours, and that its operator is cautiously and manually carrying out efforts to exploit devices and surreptitiously add them to the network.

The analysis, which observes overlap between the botnet and Volt Typhoon activity, comes as Ellen and Joseph in their report said that the Chinese military, though its Volt Typhoon campaign, has been ramping up penetrations into sensitive U.S. critical infrastructure, including power and water utilities as well as communications and transportation systems.

Our colleague Ellen Nakashima contributed to this newsletter item.

Correction: A previous version of this item incorrectly spelled Danny Adamitis’s last name. This item has been updated.

Microsoft seizes infrastructure of top cybercrime group in court order

Microsoft in a sweeping court order seized the infrastructure of a cybercrime group responsible for creating some 750 million fraudulent Microsoft accounts used to carry out malicious cyber activity, CyberScoop’s AJ Vicens reports. 

  • “The announcement comes nearly a week after Microsoft obtained a court order from the Southern District of New York allowing it to seize U.S.-based infrastructure and websites used by a group the company tracks as Storm-1152,” Vicens writes.

The group played a major role in the cybercrime-as-a-service ecosystem, according to a blog post from Amy Hogan-Burney, Microsoft’s associate general counsel for cybersecurity policy and protection. Microsoft has also identified groups like Scattered Spider, a financially motivated hacking group that famously breached MGM and Caesars, as a major user of Storm-1152 Microsoft accounts.

Vicens later adds: “The court order allowed Microsoft to seize hotmailbox[.]me, a site that sold Microsoft accounts from around the world. A snapshot of the site captured December 7 and available via the Internet Archive offered accounts for sale for a fraction of a cent each.”

FCC updates data breach rules, teeing up privacy battle

The Federal Communications Commission on Wednesday voted 3-2 to adopt rule changes that broaden the scope and definition of a data breach incident, Bloomberg Law’s Tonya Riley reports. 

The action “expands the definition of a breach to include ‘inadvertent access, use, or disclosure of customer information’ and the reach of notification rules to cover all customers’ personally identifiable information held by carriers and telecommunications relay services,” Riley writes. 

  • Senate Republicans are likely to push back on the measure, the report adds. Sen. Ted Cruz (R-Tex.) wrote Monday that the changes likely violate a Trump-era congressional policy that prevented the FCC from enforcing stricter privacy requirements on internet providers. The two Republicans on the commission voted against the proposed rule for similar reasons.

The FCC under Chair Jessica Rosenworcel has been pushing for additional privacy and security initiatives in telecommunications networks. The agency in June stood up a Privacy and Data Protection Task Force to focus on data breaches and other cyber intrusions.

A former White House scientist was scammed out of $655,000. Then came the IRS. (By Michael Laris)

Google is rolling out new protections for our location data (By Chris Velazco)

Apple will no longer give police users’ push notification data without a warrant (TechCrunch)

How to stop Dropbox from sharing your personal files with OpenAI (CNBC)

State Dept.’s fight against disinformation comes under attack (New York Times)

Solarium Commission group identifies opportunities to boost cyber resilience in water sector with support at federal, state levels (Inside Cybersecurity)

Inside the troll army waging Trump’s online campaign (New York Times)

U.S. officials were ‘furious’ about leaks exposing Ukraine war concerns (John Hudson and Missy Ryan)

Pro-China YouTube network used A.I. to malign U.S., report finds (New York Times)

Kyivstar starts restoring voice services -CEO (Reuters)

IDF website attacked by pro-Palestinian hackers (Jerusalem Post)

Polish hackers repaired trains the manufacturer artificially bricked. Now the train company is threatening them (404 Media)

  • CISA Associate Chief of Strategic Technology Garfield Jones, Cybercom Legislative Liaison Maureen Fromuth and Interior Department Zero Trust Program Manager Louis Eichenbaum participate in a debate series on government tech modernization at 5:30 p.m.

Thanks for reading. See you tomorrow.


Click Here For The Original Source.

National Cyber Security