Skip to main content
Top Button
Ice Miller Cybersecurity Law Snapshot: New Year, Nuanced Approaches to Cybersecurity Vulnerabilities Ice Miller Cybersecurity Law Snapshot: New Year, Nuanced Approaches to Cybersecurity Vulnerabilities

Ice Miller Cybersecurity Law Snapshot: New Year, Nuanced Approaches to Cybersecurity Vulnerabilities

2022 has arrived and it brings more complicated cybersecurity threats and vulnerabilities, as well as government actions. The federal government is actively promoting more nuanced approaches to analyze and address these vulnerabilities. These insightful perspectives focus on strengthening defenses and mitigating harmful outcomes. In the aftermath of the discovery of the Log4j vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) has recommended critical steps to help protect federal entities from future vulnerability, triggering heated debate between the private sector and the government. In the wake of several large-scale attacks on critical infrastructure, and in response to the Biden Administration’s push to strengthen the nation’s cyber infrastructure, the National Institute of Standards and Technology (NIST) has updated key guidance for systems engineers. CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA) analyzing and assessing Russian state-sponsored cyber operations to encourage a more robust understanding of Russian tactics, techniques, and procedures. 

CISA Guidance on Vendor Next Steps Amid Log4j Vulnerability Crisis

In November 2021, Apache Software Foundation was alerted of a vulnerability to log4j, an open-source code library used to keep record of a host of activities on a network. Nefarious actors can exploit this vulnerability to target computer systems and steal sensitive information or infect systems with malicious code. One of the most problematic vulnerabilities discovered within log4j is “log4Shell,” which has the potential to affect millions of devices across the world. Following its discovery, an impressive large-scale crowd-sourced response has tackled patching and thousands of vendors have already addressed the vulnerability. Still, some vendors disagree as to whether their products were impacted and still others may not know whether they are vulnerable. As such, CISA is recommending vendors uniformly adopt and standardize software bills of materials (SBOM), which can provide customers direct insight into open-source software being used by vendors and whether any of such open-source software contains vulnerabilities. This SBOM approach is hotly debated by vendors who argue that, although open-source software may be affected by a vulnerability, that fact alone does not make such a vulnerability exploitable. Vendors also argue that mandatory disclosure of in-use open-source software can directly affect intellectual property rights. This is an important debate to monitor as CISA and the Department of Homeland Security (DHS) are actively seeking methods to mitigate vulnerabilities through disclosures.

NIST Updates Systems Engineers Cybersecurity Guidelines

The Biden Administration is pushing for more security in programming and systems engineering to fortify critical infrastructure. NIST, accordingly, released its newest guidance, entitled “Engineering Trustworthy Secure Systems.” This expansive document ranges over 200 pages and includes critical information for systems engineers and programmers regarding the development of more secure software and technology. Amongst the guidelines, there are several critical inclusions, many of which private and public sector systems engineers should consider adopting, such as:
  • emphasizing system assurances (evidence that a system’s security procedures can mitigate asset loss and prevent cyber-attacks); 
  • focusing on loss elimination and mitigation of vulnerabilities;
  • further aligning Systems Security Engineering (SSE) with safety practices of other disciplines that deal with asset loss; and
  • stressing the importance of aligning SSE work to international standards. 

CISA, FBI, and NSA Combine Efforts to Combat Russian Cyberattack Tactics

CISA, the FBI, and NSA released a joint CSA that aims to provide more information about Russian state-sponsored operations, including common tactics, techniques, and procedures. For critical infrastructure, the agencies encourage heightened awareness, proactive threat hunting, and increased mitigation efforts. The CSA recommends, among other things, the following:
  • Detection
    • Implement robust log collection and retention, which allow entities to investigate incidents and detect threat actor behavior.
    • Actively seek out behavioral evidence or network and host-based artifacts from Russian state-sponsored tactics, techniques, and procedures. 
  • Incident Response
    • Organizations that detect potential threat actor activity should:
      • Immediately isolate affected systems.
      • Secure backups by ensuring they are offline and scanned with antivirus software. 
      • Seek subject-matter specialized support to avoid residual issues. 
      • Report incidents to CISA and/or the FBI.
  • Mitigation
  • Be Prepared:
    • Confirm reporting processes and minimize coverage gaps.
    • Create, maintain, and exercise a cyber incident response, resilience plan, and continuity of operations plan.
  • Enhance your Organization’s Cyber Posture:
    • Review identity and access management policies (require multi-factor authentication, require strong passwords, secure credentials, set strong password policies, audit domain controllers).
    • Identify, detect, and investigate abnormal activity and enable strong spam filters.
  • Addresses Vulnerabilities and Configuration Management Concerns:
    • Update software, including operating systems, applications, and firmware on IT network assets—prioritizing patching known exploited vulnerabilities, especially those noted in the CSA.
    • Implement rigorous configuration management programs that can track and mitigate emerging threats.
  • Increased Organizational Vigilance
    • Regularly review reporting and sign up for CISA notifications to keep up-to-date with known issues, vulnerabilities, and high-impact activity.

Ice Miller Cybersecurity Attorneys

Ice Miller has extensive experience assisting companies to navigate and comply with federal cybersecurity laws and regulations, as well as taking advantage of cybersecurity-related procurement opportunities. Our team includes Guillermo Christensen, managing partner of the firm’s Washington D.C. office and former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State; Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on federal procurement cybersecurity laws and regulations; Angad Chopra, a Certified Privacy Professional and associate in Ice Miller’s Data Security and Privacy Group; and Dakota Coates, an associate in Ice Miller’s Litigation Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
View Full Site View Mobile Optimized