EU Claims Kaspersky Lab Software 'Confirmed As Malicious'

  • In response to being branded “malicious”, Kaspersky Lab says it has halted all work with European institutions, including Europol, until it receives clarification from the European Parliament. More and more governments or groups of governments are restricting or banning the use of Kaspersky products for government use. While this type of action is not completely unheard of (c.f. Huawei), it is nevertheless unusual for governments to single out a specific company.
  • Members of the European Parliament voted to approve a nonbinding cyber defense motion that seeks to improve Europe’s ability defend itself against online attacks, hire more cybersecurity experts and get better at sharing information. All noble efforts, to be sure, but they don't really address the issue here, which is supply chain security.
  • CEO Eugene Kaspersky stated that the EU’s decision “does not contribute toward building an open and secure digital single market, but rather make it more fragmented and less competitive." One of Kaspersky's reactions is to build a "transparency center" in Switzerland. Because, you know, having a coding center in Switzerland guarantees that there will be no meddling from the Russian government or intelligence agencies. Nobody outsources code development to other countries, right?
  • Despite there being no public evidence for the accusations against Kaspersky Lab, Dutch and US governments have cut ties with the firm. "Public evidence" typically means that a hacker or security researcher found evidence and made it public. That does not mean that intelligence agencies or law enforcement have not found disturbing information that has not been made public.

$4.3 Million HIPAA Penalty for 3 Breaches

  • A lack of device encryption will cost the Texas-based cancer treatment center MD Anderson $4.3 million in civil monetary penalties from the Department of Health and Human Services. For a government punishment that is pretty serious. We have all seen lawsuit awards much higher than that, but for a regulatory fine this is noteworthy.
  • The ruling is only the second summary judgement in the agency’s history of HIPAA enforcement, and the fourth largest financial penalty. HIPAA maintains a "wall of shame" that describes penalties for violations. It makes for some really, really interesting reading: the wide variety of health care companies that get penalized, but even more importantly, why they received a fine. Every CISO needs to read this list often. Prepare to lose sleep at night. There a few places where you can read about HIPAA fines, such as here: https://compliancy-group.com/hipaa-fines-directory-year/
  • OCR says it investigated MD Anderson following three separate data breach reports in 2012 and 2015, one that involved the theft of an unencrypted laptop, and others involved the loss of unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information on a total of 33,500 individuals. "Unencrypted" seems to be the operative word here. Encryption is not hard, it is not expensive, so......
  • MD Anderson argued that HIPAA’s penalties were unreasonable and plans to appeal. So here we are, about a month into GDPR, and for the past year we've heard over and over again about the huge penalties companies could face for GDPR violations (I suspect there are some people out there whose knowledge of GDPR is limited to the scary fines). We have yet to see a lot of movement on GDPR fines, but HIPAA fines have a substantial track record, and could be a realistic model of how European Union authorities will hand out penalties for GDPR violations.

Joshua Adam Schulte Charged with Disclosing Classified Information

  • It was announced on Monday that former CIA employee, Joshua Adam Schulte, was charged in a 13-count Superseding Indictment in connection with his alleged theft of classified national defense information from the Central Intelligence Agency. Espionage cases are notoriously slow and difficult to prosecute, so this is a major turn of events.
  • Schulte allegedly used his access at the CIA to transmit classified material to an outside organization. In case you don't remember, Schulte allegedly leaked information about CIA cyber weapons to Wikileaks.
  • During the course of the investigation, federal agents also found child pornography at Schulte’s home and he is now being detained on those charges. I choose to withhold commentary here.
  • FBI found an encryption container which held over 10,000 images and videos of child pornography which were beneath three layers of password protection on the personal computer. Nice job to the FBI for performing some good forensic and investigative work.

Tesla Employee Steals, Sabotages Company Data

  • A Tesla employee used his trusted access to the company’s network to steal a large amount of highly sensitive data and ship it to unknown third parties. This is every CEO's and CISO's worst nightmare- the dreaded insider threat (see article above for additional dread).
  • CEO Elon Musk described the employee as making changes to Tesla’s manufacturing operating system using false usernames and then exporting a large volume of highly sensitive Tesla data. There are technical and procedural steps that can drastically reduce the risk of insider threat, but they are incredibly manpower intensive.
  • The employee was apparently disgruntled over his job situation, failing to get a promotion that he thought he deserved. One of the classic motivations for insider threat behavior.
  • Tesla is working to find out whether the employee acted alone or was with outside organizations. Though it won't change what happened, it will definitely be interesting to see if Tesla finds anything out.