Notes from June 2017 DoD DFARS Information Day & MDA NDIA-TVC DFARS Track
As we get ever closer to the end of the year deadline for DoD contractors to complete their compliance of DFARS 252.204-7012, additional information has become available.
On June 23, there were two events that provided additional clarification on the DFARS 7012 clause:
- The DoD held an Industry Information Day on June 23, 2017 to address questions regarding DFARS Case 2013-D018 (related to cloud services), DFARS 252.204-7012, and 252.239-7010 (also related to Cloud Computing Services).
- The Missile Defense Agency's National Defense Industry Association's Tennesee Valley Chapter was held on June 21-22, 2017.
The most important take-away from both events is the DoD is not contemplating any changes to the DFARS clauses addressing cybersecurity.
DoD Contractors should not expect any relief on the requirement to meet compliance by the end of this year, Dec 31, 2017.
Additional clarifications and information can be read here.
Forrester Research Forecasters Predict Health Care Industry will be Most Heavily Targetted
We're getting close to the end of 2016 and people are already thinking about their New Year's Resolutions. Everyone at Sentar hopes you'll resolve to be a more secure cyber citizen. Change your passwords! Stop clicking on those links in email you receive from people or companies you don't know. Pick up the phone and talk more often.
2017 is expected to have severe issues caused by cyber attacks, including expectation that "hackers could hurt the American economy by, among other things, taking down huge parts of the national electricity grid."
Before you peer into the future, here's the facts on 2016 cyber attacks that we know of, to date, as reported in this article posted by 247WallSt.com:
"Identity Theft Resource Center reports that there have been 957 data breaches recorded this year through December 6, 2016, with more than 35 million records exposed. Since beginning to track data breaches in 2005, ITRC has counted 6,766 breaches, involving more than 886 million records."
Internet of Things P0wned! Major sites taken off Internet by Webcams, thermostats and DVRs
On Friday, October 21, 2016, millions of 'smart' home devices designed to connect to cloud services on the Internet began generating traffic intended to shut down many popular websites, such as eBay, Amazon and Twitter.
This attack is known as a Distributed Denial of Service (DDoS) and it targeted a company called Dyn, who provides major infrastructure for large, popular websites. This "Internet of Things" based attack use recently released hacker software, called Mirai, to find and take over these devices--converting them into a botnet. This Mirai malware targets "smart" devices connected to the Internet, like security cameras, baby monitors, DVR's, refrigerators...you get the idea. The main design point for these IoT Devices has been to make it easy for anyone to pull it out of the box, plug it in and be connected.
Because of their nature, IoT 'smart home' devices are often very insecure, and are rarely, if ever, updated with security patches.
Insulin Pump Users Warned of Possible Cyber Attack Vulnerability
We blogged about the dangers of medical devices being cyber hacked back in January. This week, Johnson and Johnson (Stock: JNJ) took the unusual move of sending out a letter to their clients about a cyber vulnerability within one of their Insulin Pumps. While they state the chance of an actual attack to be very low, they do provide multiple steps that a user can take, including turning off the radio that enables automatic recording of blood glucose levels.
The 3rd Offset: US Air Force is Rapidly Mobilizing For Cyber War
There are multiple articles published recently that provide insight into the challenges and direction of modern warfare as understood by many experts, such as those in Cyber Command, Navy/SPAWAR and Air Force Space Command/AF Cyber. In a single word, they're focused on convergence. Other services have also recognized this area's importance, as shown in other articles this year that are referenced and quoted in this full blog article. Internally, Sentar experts have also been recognizing the importance and inevitability of Cybersecurity and Electronic Warfare convergence for quite some time as they have worked with various DoD agencies. Click here for the detailed article.
HHS.Gov: Your Money or Your PHI
One of our cybersecurity analysts sent an article to me yesterday. We have been discussing Ransomware, Hospitals and IoT Medical Device vulnerability.
"One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware. The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals."
A Cyber Attack on NATO Allies is an Attack on All
NATO has officially designated cyberspace as an operational warfare domain and confirmed that a cyberattack on any of its allies will be considered an Act of War.
A cyberattack on one of the NATO member states would activate Article 5 and call for a response of the alliance.