The previous month in cybersecurity:
- Kaseya Gets It All Wrong
- Congress Advances a Slate of Cybersecurity Bills
- New Cyber Rules from the TSA for Pipeline Companies
- DHS Cybersecurity Chief Confirmed
- China Cracks Down on Didi
Based in Florida, IT firm Kaseya served clients all around the world. However, a breach in early July 2021 affected up to 1,500 different businesses. Kaseya built its reputation on providing high-quality software tools for back-office work and outsourcing. However, one of those tools was turned against the company and its clients by a Russian-based hacking ring. The fallout has been significant, although it has predominantly affected SMBs. With that being said, New Zealand’s schools were forced to close, and hundreds of grocery stores in Sweden were, as well. The FBI characterized the situation as “a supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”
To say we’ve seen a dramatic increase in cybersecurity breaches in 2021 is putting it mildly. It’s felt like a rush to see which companies can have a data breach the fastest. That hasn’t been lost on the US federal government, which has managed to get its members to agree to an increasingly rare bipartisan raft of bills, all of which focus on cybersecurity. All of the bills included are supposed to help address critical vulnerabilities in US and global supply chains and networks while also providing resources to educate Americans on the danger posed by cybersecurity risks.
The suite of bills includes multiple pieces of key legislation, including the Understanding Cybersecurity of Mobile Networks Act, the Secure Equipment Act of 2021, and the Future Uses of Technology Upholding Reliable and Enhanced Networks Act, to name just a few.
Most of us haven’t forgotten the pinch to our wallets or the long lines waiting to fill up earlier in 2021 when cyber attackers targeted the Colonial Pipeline. Now, new rules from the TSA (as a part of the DHS) are being handed down for pipeline companies. The new directive gets around the bottlenecks that generally slow the passage of legislation to deliver critical guidance right now.
According to The Washington Post, most of the directive is classified, but the onus is that “pipeline owners are now required to implement specific, though unspecified, safeguards against ransomware attacks. The measures cover the IT systems commonly targeted by cybercriminals, as well as physical systems that control the flow of fuel.” Also included is a requirement for pipeline companies to review their IT infrastructure and create an incident response strategy.
It’s July, and President Biden is still slowly filling open positions within the government. One of the few appointments to receive pushback from the GOP is Jen Easterly, who was recently named the Department of Homeland Security’s Cybersecurity Chief. Easterly herself is ex-military and a two-time recipient of the Bronze Star. Her installation had been blocked at the beginning of July by Senator Rick Scott of Florida, but he was ultimately confirmed on July 12th.
The appointment means yet more focus (and rightly so!) on the state of cybersecurity in both government and private sectors. Easterly reportedly noted that she did not believe voluntary standards are “getting the job done”, intimating that she supports mandatory reporting to the government. Easterly is expected to up the agency’s role as a strategic advisor and policy creator.
China’s Didi ride-hailing company is the latest to come under scrutiny by the nation’s government for cybersecurity issues. The government ordered state security and police officials to probe the company’s actions. The move comes as China continues its intense crackdown on the collection of personal data.
In addition to the presence of state security forces, Didi’s app has been ordered to be removed from all app stores. The allegations are that Didi has been harvesting personal information from its users, which is against the law in China, at least since June. Interestingly, the action comes just days after Didi completed a successful initial public offering within the United States.
Other probes are also in progress within Full Truck Alliance and Boss Zhipin (which is also US-licensed). It remains to be seen just how far the government is willing to take its battle with the nation’s tech companies.
Hopefully, you found plenty of interest in this month’s roundup. Know of something that we missed? While we do our best to include the biggest news from the preceding 30 days, we do sometimes miss things, so let us know what you want us to cover.