The decision to ban Kaspersky Lab products and services from federal agency networks and systems may just have been a shot across the bow.
The Justice Department is considering rolling out the big guns against companies owned and operated by Russian nationals.
John Demers, the assistant attorney general for National Security in DoJ, said in light of the SolarWinds attack, Justice, along with the FBI and the intelligence community, launched a new effort to see where there may be supply chain vulnerabilities of companies that are Russian companies or are doing business in Russia.
“This is not meant punitively, but meant protectively,” Demers said at the recent Justice Department Cyber Symposium. “Where there’s a critical pieces of software, if there’s back end software design and coding being done in a country where we know that they’ve used sophisticated cyber means to do intrusions into U.S. companies, then maybe the U.S. companies shouldn’t be doing work with those companies from Russia or from other untrusted countries. That’s something that we’re going to be looking closely at.”
Demers said Justice, FBI and ODNI will share the information it collects with the Commerce Department, which will then decide how to use its authorities under the May 2019 executive order signed by President Donald Trump about whether to prohibit use of technologies that pose a risk to agencies or critical infrastructure.
“We are evaluating the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia,” a Justice Department spokesman added after the event in an email to Federal News Network. “Unlike sanctions, which punish individuals and entities for bad behavior in the past, this review is focused on risk management: Which companies, or classes of transactions, pose a heightened threat to national security because of the vulnerabilities they introduce or the consequences, should they be exploited in the future.”
The spokesman offered not timeline for when DoJ and its partners would complete the review.
This move from the Justice Department, FBI and the intelligence community follows Congressional requirements for agencies to stop using products and services from telecommunications companies owned and operated by Chinese nationals.
While lawmakers started ringing alarm bells as far back as 2012, it took seven years to get language into law to prohibit the use of products and technologies from companies like ZTE and Huawei.
The recent SolarWinds compromise and other cyber attacks are driving DoJ’s review of Russian companies. Only Kaspersky Lab has been officially banned from federal networks and systems.
DoD piloting several DIB cyber programs
Concerns over foreign ownership or influence on technology companies isn’t just about ownership and location, it’s also about espionage and data leaks.
The Defense Department is taking steps to shore up its industrial base against these long-standing problems.
The DoD chief information officer is expanding its defense industrial base (DIB) cybersecurity information sharing program.
“Although this program was designed to share indicators of compromise and malware analysis services with cleared defense contractors—those members of the industrial base that have security clearances and access to classified information—the DoD CIO is working to amend relevant regulations to expand the program to include non-cleared defense contractors, thus enabling small- and medium-sized contractors to receive important information, including the same signatures, malign IP addresses and threat advisories that the larger cleared primes receive as part of the program,” said Rear Adm. William Chase III, the deputy principal cyber advisor to the Secretary of Defense and director of protecting critical technology task force, in written testimony before the Senate Armed Services Subcommittee on Cybersecurity. “The Defense Cyber Crime Center (DC3) is also expanding the services available to the DIB, piloting efforts such as penetration testing to address contractors’ external-facing vulnerabilities and an adversary emulation program.”
Chase also told lawmakers about a cyber threat intelligence sharing program called Crystal Ball, which is an “outside looking in” type of program
It helped identify and notify 13 DIB partners about the Microsoft Exchange attacks from Chinese actors.
NSA offering cyber services to contractors
Another is the DIB vulnerability disclosure program to help companies improve their cyber hygiene.
DoD is looking to expand these pilots to those companies that do not have security clearances in order to more broadly share the threat data from just 800 contractors to tens of thousands.
Additionally, the National Security Agency is running pilots to share unique, actionable threat information and cybersecurity guidance with members of the DIB and their service providers. Another pilot provides unique cybersecurity capabilities to the DIB, among the most promising of which is the provision of free and secure Domain Name System (DNS) lookup services to the DIB.
“The NSA is offering this cybersecurity service — called Protective DNS, or pDNS — in partnership with an advanced commercial DNS provider and is currently enrolling members of its industrial base,” Chase wrote. “This capability combines a commercial DNS sensor architecture with real-time analytics to quickly understand malicious activity targeting the DIB and to deploy immediate countermeasures. The efficacy of this service has been widely demonstrated—it does not require access to internal contractor networks and has the potential to prevent or disrupt adversary cyber exploitation activities.”
And, of course, there is the Cybersecurity Maturity Model Certification (CMMC) program.
Jesse Salazar, the deputy assistant secretary of Defense for industrial policy, told Senate lawmakers DoD moved CMMC under his office earlier this year.
He said the final CMMC acquisition rules should be in place by the end of 2021 after reviewing about 850 comments and the recommendations from the deputy secretary’s review.
“As part of our look, we are trying to assess how we bring clarity to the requirements that we are asking, looking at the barriers to small businesses and then making sure we have trust in the ecosystem,” Salazar said.
CMMC 30-day review is completed
A source with knowledge of CMMC confirmed the deputy secretary’s 30-day review completed in late April.
Salazar said in his written testimony that one of DoD’s biggest challenges with CMMC is to deconflict and streamline multiple cyber requirements to avoid requiring duplicative efforts.
“This includes providing clear guidance on the alignment of the NIST SP 800-171 DoD Assessment Methodology and CMMC, as they pertain to safeguarding controlled unclassified information (CUI), as well as the requirements and assessment approach for contractors that use cloud service provider offerings,” he said. “Moreover, the department is committed to working with our allies and international partners to better understand how the CMMC framework compares with other nations’ cybersecurity requirements and better align these requirements to help protect the department’s mission critical supply chain.”
Chase said many of these pilots are providing direct cybersecurity services to the industry instead of depending on their ability to use tools to detect threats and vulnerabilities.
“This approach institutionally buys down cybersecurity risk across entire industry segments rather than relying on individual small- and medium-sized businesses to defend their networks as if they were large prime contractors,” he said.