Friday Five 3/25
Two nation-state hacking campaigns revealed, gauging federal cyber collaboration, and more - catch up on the news of the week with the Friday Five!
1. EU and US agree data transfer deal to replace defunct Privacy Shield by Natasha Lomas
Confusion stemming from the EU-US Privacy Shield and how to regulate transatlantic exchanges of data could soon be a thing of the past. The EU and the U.S. agreed to a new data sharing pact this week to replace the Privacy Shield, a legal framework that established standards of data protection and satisfied US law and the General Data Protection Regulation. Designed by the U.S. Department of Commerce and European Commission, it’s been in place since July 2016. The European Commission's president, Ursula von der Leyen, announced the news in a joint press conference with U.S. President Joe Biden today. “We have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable, trustworthy data flows between the EU and the US, safeguarding privacy and civil liberties.”
2. Federal government earns high marks for cyber collaboration, but gaps remain by Derek B. Johnson
Recent federal collaborative efforts, like the Joint Cyber Defense Collaborative, announced by the Cybersecurity and Infrastructure Security Agency (CISA) last year, received praise in a new report released by the Center for Strategic and International Studies this week. The report, A Shared Responsibility: Public-Private Cooperation for Cybersecurity, looked at how the public and private sector communicate on cybersecurity issues. As Derek Johnson notes in SC Magazine, the concept of these groups go beyond just sharing information like indicators. Instead they mimic a joint task force, allowing government and industry to work together on whatever issue might be pressing. Still, there's work to be done. The report says companies need to do a better job establishing what their crown jewels are and ensuring they're protected, following cybersecurity best practices, and expanding the cybersecurity talent pool.
3. Pandemic Leaves Firms Scrambling for Cybersecurity Specialists by Rob Lemos
Speaking of the cybersecurity talent pool, here’s a piece via DarkReading’s Rob Lemos that takes a look at how the pandemic has affected the dearth of talent across the industry. While much has been written about this topic over the last two years, this piece looks at statistics from the IT industry association ISACA, specifically a survey of 2,000 professionals. As you might expect, the pandemic has led to some growing pains for organizations, many which claim it's harder to find and retain cybersecurity experts now. Here's some numbers:
• 60% of companies had problems retaining cybersecurity specialists in 2021, up from 53% of companies at the start of the pandemic in 2020.
• Nearly 60% of cybersecurity professionals see other companies poaching employees as a big reason for the current lack of knowledgeable workers.
• Nearly two-third of cybersecurity experts are between the ages of 35 and 54, with only about 11% of workers under 35.
4. US charges four Russians over hacking campaign on energy sector by Gordon Corera
The U.S. charged four Russian government employees this week, including three officers of the Russian Federal Security Service, for carrying out hacks against a series of oil refineries, nuclear facilities, and energy companies. The hacks were part of a seven-year campaign that involved spear-phishing, Trojanized software updates, and watering holes. After gaining access, the hackers deployed remote access Trojans on devices - 17,000 in total from 2012 to 2014. The malware targeted 3,300 users at more than 500 different companies in 135 countries, not just the U.S. This BBC piece does a good job breaking down the allegations
5. North Korean hackers unleashed Chrome 0-day exploit on hundreds of US targets by Dan Goodin
More news on a lengthy campaign carried out by nation-state hackers, this time from North Korea. Ars Technica recaps research published by Google’s Threat Analysis Group (TAG) on Thursday about two groups that worked to exploit a remote code execution vulnerability in Chrome to hack companies in multiple sectors, news media, IT, cryptocurrency, and fintech. One group, Operation Dream Job, targeted employees at organizations offering dream jobs but ultimately hoped to steal money and collect intelligence. Those interested in learning more about the campaign, including the phishing lures and fake job websites used, should head to Google's write up.