Welcome to The Cybersecurity 202! It's officially Cybersecurity Awareness Month. So if you're starting October reading this, you're way ahead of the game. Below: The FCC wants to get tough on SIM-swapping and some hacks against federal agencies increased during the pandemic. | A ransomware attack might have caused another death | An ambulance arrives at the emergency entrance of a hospital. (Mike Segar/Reuters) | | A ransomware attack against an Alabama hospital may have led to a baby's death in 2019, one of the first known cases where a cyberattack had life-or-death consequences. The baby, Nicko Silar, was born with her umbilical cord wrapped around her neck and constricting her airway, causing severe brain damage, as the Wall Street Journal's Kevin Poulsen, Robert McMillan and Melanie Evans report. She died nine months later. Obstetricians would typically perform a Caesarean section delivery in such cases upon learning that the baby's heart rate had slowed. In this case, however, Springhill Medical Center in Mobile, Ala., was eight days into a ransomware attack that had crippled its computer systems. Nurses did not notice the fetal heart rate change, which was recorded on a strip of paper printed by the bedside monitor. It would normally have appeared on a large digital display at the nurses' station where monitoring was far easier. Silar's mother, Teiranni Kidd, argues in a lawsuit that the ransomware attack removed safeguards that would otherwise have assured the nurses would notice the change in heart rate and alert the obstetrician. The hospital denies any wrongdoing. CEO Jeffery St. Clair told the Journal in a statement that the hospital "concluded it was safe" to continue operating during the ransomware attack. | The case is a stark reminder of the devastating human costs that can derive from cyberattacks, where the damage is more typically measured in lost money and productivity. It also raises thorny questions about how to reckon the danger posed by hacking — and how the government should account for those dangers as it expands its efforts to improve the cybersecurity of hospitals and other elements of critical infrastructure. Cyber experts typically bat back comparisons of hacking threats to those posed by terrorism, noting a cyberattack has never been proven to cause a death or large-scale property destruction. But cases like the one in Alabama are complicating that argument. | This isn't the first possible ransomware death. | Prosecutors in Cologne, Germany, opened a negligent homicide investigation last year in the case of an ailing woman who was turned away from a hospital in the grips of a ransomware attack and died on the way to another hospital. Cybersecurity professionals speculate such situations are more common than is reported because of the difficulty determining that any particular death was due to a delay in care or a shift to nondigital hospital procedures rather than underlying medical conditions. "Security practitioners sometimes take news about 'the first ransomware-associated hospital death' with a grain of salt," Rachel Tobac, CEO of SocialProof Security, told me. "Ransomware attacks on hospitals can disrupt access to emergency care, and any delay in care or diverted ER cases can lead to greater risk of patient death," she said. The Journal cited a statistical analysis by the Cybersecurity and Infrastructure Security Agency, which determined that ransomware attacks against hospitals could lead to dire consequences. "We can see that a cyberattack can strain you enough to contribute to excess deaths," Joshua Corman, a senior adviser for CISA, told the Journal. | Some ransomware gangs have claimed they don't attack hospitals because of concerns about disrupting patient care, but those claims ring mostly hollow. Attacks against hospitals have increased dramatically in recent years, including during the pandemic. | As ransomware attacks increase and hackers become more brazen, there are likely to be more deaths with possible links to those attacks. Unlike terrorist attacks, however, these deaths are likely to almost always fall into a gray area where it's impossible to definitely prove the cyberattack caused the death. In the Alabama case, there's no question hospital staff erred in not noting the change in heart rate, but it's not completely clear that was the result of the ransomware attack. A text exchange between the obstetrician, Katelyn Parnell, and the nurse manager shortly after Silar's birth has been entered into evidence in the lawsuit, the Journal reports. In the exchange, Parnell states that she would have performed a C-section if she'd been alerted about the lowered heart rate and calls the brain damage at birth "preventable." "I need u to help me understand why I was not notified," she writes. Parnell is also a defendant in the case. | | | The keys | | Computer scientists defended their work tying the Trump campaign to a Russian bank | John Durham has accused cybersecurity lawyer Michael Sussmann of lying to the FBI. (Amanda Andrade-Rhoades for The Washington Post) | | John Durham, a special counsel appointed by the Trump administration to review the Russia investigation, suggested in a recent indictment that computer scientists who found curious Internet links between the Trump organization and Russia's Alfa Bank didn't actually believe their find was significant. | Now, lawyers representing two of the computer scientists at the center of the claim say that's misleading, the New York Times's Charlie Savage and Adam Goldman report. "Reports that these findings were innocuous or a hoax are simply wrong," the lawyers say. The FBI ultimately determined the Internet links were not suspicious. The indictment did not accuse the computer scientists of a crime. Instead, Durham charged cybersecurity lawyer Michael Sussmann, who alerted the FBI about the digital signals. Sussman said he was not relaying the claims on behalf of a client. In fact, Sussmann billed the work to Hillary Clinton's presidential campaign, according to Durham. Durham has issued a fresh set of subpoenas in the case, CNN's Evan Perez and Katelyn Polantz report. One of the subpoenas is directed at Sussmann's former law firm, Perkins Coie, they report, citing people briefed on the matter. | A federal regulator is looking into preventing hackers from stealing cellphone numbers | The Federal Communications Commission wants to halt "SIM-swapping," in which hackers hijack phone numbers by convincing phone companies that they're the owners. SIM-swappers have racked up numerous high-profile victims drawing attention to the practice. In 2019, Twitter CEO Jack Dorsey was targeted in such an attack. The FCC wants to update its rules to require phone companies to make sure people who try to transfer phone numbers are who they say they are. The regulator is seeking public comments on how to do that. It also wants phone companies to immediately let customers know about requests to change their phone information. Lawmakers have long called for the FCC to take action on SIM-swapping. In January 2020, six Democratic lawmakers urged then-FCC chairman Ajit Pai to start the rulemaking process to defend against the practice. | Government agencies faced more cyberattacks during the pandemic | Five out of 12 federal agencies surveyed by the Government Accountability Office said they faced "an increase in certain types of cyberattacks during maximum telework," according to a report by the government watchdog. Officials from four of those five agencies said they had seen a rise in phishing attacks. The report called out the Securities and Exchange Commission and the Social Security Administration for having incomplete plans for remote working securely. | | | Hill happenings | | The House Intelligence Committee advanced a bill that would put job restrictions on former spies and U.S. government hackers | House Intelligence Committee Chairman Adam B. Schiff (D-Calif.) said he did not think a recent case involving hackers-for-hire and the UAE was an isolated incident. (Kevin Dietsch/Getty Images) | | The amendment was introduced two weeks after three former U.S. intelligence agents admitted to working as hackers for the United Arab Emirates, Reuters's Christopher Bing reports. The amendment would require some former officials who worked in sensitive posts to report their "national security, intelligence or internal security" work for foreign governments. | | | Cyber insecurity | | Nieman Marcus breach affected up to 4.6 million people | The compromised information includes contact information, payment card numbers, gift card numbers, usernames and passwords, the retailer said in a news release. About 3.1 million of the affected customers used payment and virtual gift cards, more than 85 percent of which were expired or invalid, the company said. Nieman Marcus has hired the cybersecurity firm Mandiant to investigate. | | | Government scan | | | | Securing the ballot | | | | National security watch | | | | Privacy patch | | | | Daybook | | - John Costello, National Cyber Director Chris Inglis's chief of staff, speaks at a Center for Strategic and International Studies event on Oct. 4 at 9:30 a.m.
- Chris Fonzone, the top lawyer in the Office of the Director of National Intelligence, and former senator Russ Feingold, a Democrat who represented Wisconsin, participate in a Center for Democracy & Technology event on the Patriot Act on Oct. 5 at noon.
- The R Street Institute hosts an event on diversity in cybersecurity on Oct. 5 at 1 p.m.
- CISA Director Jen Easterly speaks at a Washington Post Live event on Oct. 5 at 3 p.m.
- U.S. Cyber Command Commander and NSA Director Gen. Paul Nakasone and deputy national security adviser Anne Neuberger speak at the Mandiant Cyber Defense Summit on Oct. 5.
- Easterly and others speak on the first day of CISA's four-week Annual National Cybersecurity Summit on Oct. 6.
- Deputy Attorney General Lisa Monaco; Deputy Energy Secretary David Turk; National Cyber Director Chris Inglis; Rep. Yvette D. Clarke (D-N.Y.), who chairs the House Homeland Security Committee's cybersecurity panel; Rep. John Katko (R-N.Y.), the top Republican on the committee; and Sen. Angus King (I-Maine) participate in the Aspen Cyber Summit on Oct. 6.
- The Center for Strategic and International Studies hosts an event on sixth-generation network standards on Oct. 6 at 3 p.m.
- Homeland Security Secretary Alejandro Mayorkas, Easterly, Inglis and other top U.S. government officials speak at the three-day Billington Cybersecurity Summit, which begins Oct. 6.
- European cybersecurity officials speak at Kaspersky's EU Cyberpolicy Forum on Oct. 7 at 5 a.m.
- Silicon Flatirons hosts an event on encryption on Oct. 7 at noon.
- The House Oversight and Reform Committee holds a hearing on the partisan election review in Maricopa County, Ariz., on Oct. 7 at 10 a.m.
| | | Secure log off | | Remember, this is a month-long affair. Don't blow all your best password advice on Day 1. Thanks for reading! I'll be away next week, leaving the newsletter in the able hands of Aaron Schaffer and Sarah Salem. Have a great weekend. | | |
No comments:
Post a Comment