2021 was supposed to be our savior from the dumpster fire that was 2020. The New Year was supposed to bring us new beginnings and fresh starts, but it seems like 2021 is starting even crazier than 2020 did.
Why do I say that, you ask? It just so happens that the past two weeks of cybersecurity news have brought some of the biggest, most widespread, and, yes, crazy headlines. This week is no different. The cybersecurity fallout from the U.S. Capitol attack kicks off our weekly news recap, and it doesn’t slow down from there.
As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on only the most compelling developments in the field.
The January 6th attack on the U.S. Capitol Building has deep cybersecurity ramifications, says ZDNet.
This week’s top story is the massive cybersecurity fallout from this year’s biggest news story. When hostile actors penetrated the Capitol Building’s physical security last week, they gained access to individual chambers and offices for over two hours.
One of the most telling reports relating to this story comes from Michael Sherwin, who stated “items, electronic items were stolen from senators’ offices, documents, and … we have to identify what was done to mitigate that.” It seems that with so much unknown, the true damage to the Capitol’s cybersecurity is currently unknown.
However, current reports including stolen laptops, lost data, and even potential espionage prove that consequences from the actions of the hostile actors will take months to sort out. Passwords, documents, access codes, and confidential or secret information may have been stolen. Additionally, it’s hard to pinpoint exactly how many individuals made it into the Capitol and exactly what they did that could potentially compromise cybersecurity.
While there’s a lot that’s currently unknown about the event that took place just over a week ago, there’s no doubt that more information will trickle out about just how severe the damage was.
Ring is no stranger to security concerns. And as Threatpost reports, this massive concern for the device’s cybersecurity has triggered a big update by the company.
Smart doorbell maker Ring is giving critics of its cybersecurity less to criticize, as it has rolled out the option for its users to enable end-to-end encryption on many of its models. Ring products have been a consistent hit with consumers, but the story is not exactly the same with cybersecurity experts. In fact, these experts claim that the company has a lack of attention to basic security.
After continued criticism from these experts, Ring unveiled and released end-to-end encryption for many of its home security products. However, Ring states that E2EE can be added to less than 50 percent of its in-use products. Older versions of the smart doorbells, including first and second generation video doorbells, cannot be upgraded to include E2EE.
While this move is one that was expected for a long time from the company, it is a welcome addition (despite all of its caveats).
Tik Tok, like Ring, is no stranger to harsh criticism from cybersecurity professionals. However, as Threatpost reports, the company is rolling out new features to improve security for many on the application.
The focus of this security overhaul is on underage users on the platform. According to this article, the popular video-sharing social media app will set users aged 13-15 (the lowest age bracket allowed on the platform) accounts to private by default.
Because of the fact that Tik Tok’s massive user base sways heavily towards teens, this is a big advancement. Data backs this up, as over 60 percent of the platforms 26.5 million monthly users are between the ages of 16 and 24. Tik Tok put out a statement earlier this week that “(Tik Tok) wants our younger users to be able to make informed choices about what and with whom they choose to share, which includes whether they want to open their account to public views. By engaging them early in their privacy journey, we can enable them to make more deliberate decisions about their online privacy.”
Additional changes for the platform include limiting comments on videos created by users 13-15; limiting Duet and Stich to users over 16; changing the default setting for Stich to “friends” for 16 and 17 year-olds; and prohibiting download of videos by users under 16.
Anne Neuberger, the National Security Agency’s cybersecurity director, will be joining the Biden administration as deputy national security advisor for cyber and emerging technology, as detailed in an article by Cyberscoop.
The news, which was originally announced directly by the Biden transition team, is welcome for those hoping that the new administration would continue to make cybersecurity a priority at the federal level. Neuberger has been serving in her current role of Cybersecurity Directorate at the Pentagon’s foreign signals intelligence agency for just over a year but has extensive experience with the NSA.
Neuberger had previously served on the NSA’s task force to counter Russian threats to U.S. elections, previously known as “Russia Small Group,” and as its chief risk officer. She had also overseen cyber-operations at the NSA during her time as assistant deputy director of the Operations Directorate.
This selection signals cybersecurity being a high priority to the Biden administration. President-elect Joe Biden stated that issues like the SolarWinds breach will be a “top priority” for the administration come January 20th.
Our last headline from the week comes from Bloomberg and states that the Department of Defense’s classified $2 billion cybersecurity project has been halted.
The project, which was intended to detect intrusions and prevent attacks, has been temporarily stopped due to poor test performance, according to the Pentagon’s testing office. The effort to consolidate hundreds of U.S.-based and global systems continues to be fielded to non-classified networks even though test assessments since 2016 have continually shown it’s “unable to help network defenders protect DoD component networks against operationally realistic cyber attacks,” testing chief Robert Behler wrote in his latest criticism of the project known as the Joint Regional Security Stack.
Behler’s report, which was obtained by Bloomberg prior to its release, was written before the Department of Defense acknowledged that it was included in the list of companies and organizations who were compromised by a massive intrusion that has been tied to Russian adversaries. This project, which began back in the mid 2010’s, is already a year late on its launch. The project was due to be fully implemented by 2019 across the military’s information security infrastructure.
These poor test results have prompted Pentagon officials to reduce planned spending for expanding into the secret-level network for fiscal year 2022. This move effectively defers the effort into fiscal year 2023 at the earliest.