The National Institutes of Science and Technology (NIST) continues to offer timely and relevant information for companies to consider when addressing cyber-risks in an ever-changing landscape.

 On February 2, 2021, NIST published an alert outlining tools it has developed to assist companies “to help defend against state-sponsored hackers.” According to its press release, nation-state actors, also known as “advanced persistent threat” (APT), are targeting both governmental agencies and private industry and academia in order to steal “sensitive but unclassified information,” known as ‘controlled unclassified information’ (CUI), that the government relies on “to carry out a wide range of missions using information systems” and, therefore, the “protection of sensitive federal information that resides in nonfederal systems…is of paramount importance, as it can directly impact the federal government’s ability to carry out its operations.”

Following the Chinese government’s 2018 hack of a third-party contractor of the United States Navy in which, according to the Washington Post, the Chinese government “stole a large amount of highly sensitive data on undersea warfare,” NIST developed and published its draft Special Publication SP 800-172 to assist in protecting CUI against APT.

After public comment, the final publication of SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171 was released this week for private companies, industry and academia to adopt NIST-developed tools that provide “additional recommendations for handling CUI in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.”

According to NIST, “implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property the revelation of which could compromise our economy and national security.”

NIST provides help to all of us in defending against cyber-attacks. NIST says, “The adversaries are bringing their ‘A-game” in these cyberattacks 24 hours a day, 7 days a week…You can start making sure the damage is minimized if you use SP 800-172’s cyber safeguards.”

Take a look at the tools and consider using them to enhance the security of your high-risk data.

The Federal Aviation Administration (FAA) announced last week that it will be working with industry leaders and public stakeholders to develop a traffic management system for unmanned aircraft systems (UAS or drones). UAS traffic management (UTM) requires a framework for systems to safely operate multiple UAS at once. The FAA wants to first establish operating rules before industry service providers and operators would coordinate the execution of flights.

For example, operators want to use smart-phone applications to map routes for drone flights and to check flight restrictions. The FAA has been working on UTM for drones since about 2015, when it first partnered with the National Aeronautics and Space Administration (NASA).

In November 2020, the FAA conducted flight tests through its UTM pilot program in Virginia and is working on an implementation plan based on that research. However, industry stakeholders have asked for more information on the next steps, and it is uncertain whether the FAA’s plan will include performance goals and measures (which is not statutorily required).

The FAA says it will use results from the pilot program to assist it in creating its implementation plan. However, the industry has voiced concern about the limited release of information related to UTM technology.

The U.S. Government Accountability Office (GAO) is recommending that the FAA: (1) provide stakeholders with additional information on the timing and substance of UTM testing and implementation efforts via the FAA’s UTM website or other appropriate means, and (2) develop performance goals and measures for its UTM implementation plan. The Department of Transportation agreed with those recommendations.

With more available data from the FAA’s research in its pilot program, members of the UAS industry and public stakeholders will be able to better align their own activities with those of the FAA and make better decisions for UTM testing and implementation.

My phone was ringing this week with inquiries from clients, friends and acquaintances who received a Form 1099 in the mail for an unemployment claim that they did not file, asking what should they do.

The statistics on the successful filing of fraudulent unemployment claims throughout the country in 2020 are staggering. The pandemic created higher unemployment than the country has seen in years, and fraudsters took advantage of federal and state legislation making the filing of an unemployment claim as easy as possible in order to get funds to those in need.

Unfortunately, no good deed goes unpunished, and states were hammered with fraudulent unemployment claims. The State of Washington alone estimates that it lost up to $600 million in fraudulent unemployment claims in 2020.

Some individuals received notice at the time of the filing of a fraudulent unemployment claim made in their name and were able to stop it. If you didn’t receive notice at the time of the filing, and the perpetrator was actually successful in using your personal information to obtain unemployment benefits in your name, you will find out when you get a Form 1099 in the mail for your taxes. What a nightmare.

If this happened to you, here are some ideas and resources that may help.

  • Contact the state agency that issued the 1099 and report the fraud. Usually there is a toll-free number or website at the bottom of the 1099 that you can contact.
  • Keep records of all telephone calls, emails or any other conversations you have with the State agency when reporting the fraud so you can document your report of fraud in the event you need it later.
  • If you are asked by the State agency to provide a copy of the 1099 to them to evidence the fraud, redact your Social Security number and write “fraudulent claim” on it when you send it back to them.
  • Give all documentation that you have of the fraud and your report of the fraud to your tax preparer.
  • For more information, here are two resources that may be helpful to you.

Indian news outlet Inc42 has reported that the ShinyHunters hacking group found some shiny objects when it was able to compromise the personal information of hundreds of thousands of individuals using the crypto exchange BuyUCoin.

The hackers were able to compromise and subsequently leak a BuyUCoin database that contained names, telephone numbers, email addresses, tax identification numbers and bank account information of users. Different reports say that the number of users who were affected by the compromise ranges from 161,000 to 325,000 users.

Although BuyUCoin initially denied the reports, it recently indicated that it is investigating and that no user funds had been affected.

With the passage of the Consumer Privacy Rights Act (CPRA), we are presenting several blog articles on different topics related to the new law. We previously wrote about key effective dates and the newly-added definition of sensitive information. This week, we will focus on consumer opt-out rights and data profiling.

Consumer Opt-Out Rights

The CPRA created several new rights for consumers – one of which is the right to opt out of the sale or the sharing of their personal information. In order to understand this new opt-out right, we need to review the new definition of sharing personal information in the CPRA.

The CPRA differentiates between the sale of personal information and the sharing of personal information. Sharing personal information means disclosing it to third parties for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Section 1798.140 (a)(h)(1).

What is cross-contextual behavioral advertising? Think about advertising targeted to the consumer based on their internet behavior. Contextual advertising might be an ad shown specifically to a consumer for a product related to that consumer’s internet search. If you are a California resident, the CPRA will give you the right to opt out of the sharing of your personal information in this way. How will a consumer exercise this right? The CPRA states that a consumer shall have the right, at any time, “to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.” Section 1798.120(a).

Data Profiling – What is it?

Another consumer right related to the consumer opt-out rights found in the CPRA pertains to data profiling. Profiling is defined in the CPRA as the automated processing of personal information to “to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Section 1798.140 (z). One bright note is that Section 1798.185 (a)(16) states that regulations will need to be developed “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”

We will be following these opt-out rights closely – both from a consumer privacy standpoint and for businesses that use such targeted advertising technologies, including automated processing of personal information – to see how the regulations will address the logic involved in the decision-making process and its impact on consumers.

Cybersecurity firm SonicWall Inc. is investigating an attack on its internal systems that it describes as “highly sophisticated.” According to SonicWall, the investigation is centered around its Secure Mobile Access 100 series, which assists with end-to-end secure remote access.

The company said that a few thousand devices have been impacted and that it is trying to determine whether the attackers exploited a zero-day vulnerability in the SMA 100 series product.

Although it sounds very similar to the recent SolarWinds cyber-attack, it is presently unknown whether this incident is related to that attack or if it was caused by the Russian-based attackers behind the SolarWinds incident.

It is clear that cybersecurity firms are being heavily targeted by cyber-attackers and are not immune from the onslaught of cyber-attacks we are seeing across the board in every industry. It also emphasizes the fact that there is no ability to completely transfer cyber risk. Data security is a team sport. Reasonable cyber-hygiene inside your organization, while using outside tools to augment your security posture, are both ways to minimize risk, but hackers are using more and more sophistication in their attacks, which present risk internally and externally. What is crystal clear from these attacks on cybersecurity firms is that cybersecurity and vendor management must continue to be a high priority for organizations in order to manage cyber risk.

Last week, the Executive Order on Protecting the United States from Certain Unmanned Aircraft Systems (UAS) expanded the U.S.-China drone controversy to North Korea, Iran, and Russia.

The Order also provides the Secretary of Commerce with the authority to designate “any other foreign nation, foreign area, or foreign non-government entity engaging in long-term patterns or serious instances of conduct significantly adverse to the national or economic security of the United States,” in addition to China, North Korea, Iran, and Russia.

The purpose of the Order is to, “prevent the use of taxpayer dollars to procure UAS that present unacceptable risks and are manufactured by, or contain software or critical electronic components from, foreign adversaries, and to encourage the use of domestically produced UAS.” However, this Order is not necessarily a “cease-and-desist” order; instead, it requires federal agencies to review their “authority to cease” procuring, funding or contracting the “covered UAS” of such foreign adversaries within the next 60 days. A “covered UAS” includes a drone that:

  • is manufactured, in whole or in part, by an entity domiciled in an adversary country;
  • uses critical electronic components installed in flight controllers, ground control system processors, radios, digital transmission devices, cameras, or gimbals manufactured, in whole or in part, in an adversary country;
  • uses operating software (including cell phone or tablet applications, but not cell phone or tablet operating systems) developed, in whole or in part, by an entity domiciled in an adversary country;
  • uses network connectivity or data storage located outside the United States, or administered by any entity domiciled in an adversary country; or
  • contains hardware and/or software components used for transmitting photographs, videos, location information, flight paths, or any other data collected by the UAS manufactured by an entity domiciled in an adversary country.

The Order also requires federal agencies to inventory covered UAS that already are owned or operated by the agency, and to then report their existing security protocols. However, and particularly with respect to China, several federal agencies have already conducted this inventory and assessment. No later than 120 days after the inventory reports are completed, the Director of National Intelligence, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Science and Technology Policy, and the heads of other agencies will review the reports and submit a security assessment to the President, including recommended mitigation steps for decreasing the risks associated with these UAS and whether any UAS’ use should be discontinued completely by federal agencies.

The Federal Aviation Administration (FAA) must also lay out restrictions on the use of UAS on or over critical infrastructure within 270 days of the Order; the FAA already has the power to issue a Temporary Flight Restriction (TFR). At present, TFRs can be requested only by national defense, national security, and federal intelligence departments and agencies. However, other government or private sector entities can, in the interest of national security, request those agencies to sponsor a TFR over critical infrastructure, (e.g., oil refineries and chemical facilities). The goal of the Order is perhaps to provide a direct line from private industry to the FAA.

We’ll see if the Order has staying power and the funding to support it. Stay tuned.

Those of us who are not health care workers, essential workers or the highest-priority cohort in our state to receive the COVID-19 vaccine are patiently awaiting our turn. We are anxious to receive the vaccine for our personal safety and health, while monitoring complaints about vaccine rollouts in different states.

As we have reported before, criminals and fraudsters prey on unsuspecting victims who have been anxious (understandably so) about many different issues that have arisen since the beginning of the pandemic, including their jobs, the infection rate of COVID-19, the prevalence of COVID-19 in their community, obtaining relief through funds from the state or federal government, and unemployment payments.

The pandemic has been used by fraudsters and scammers to attempt to obtain personal information or money from victims. These scams have included phishing schemes, telephone schemes and the introduction of malware and ransomware into networks and systems to obtain personal information or money under false pretenses.

With the development and rollout of COVID-19 vaccines, the fraudsters and scammers continue to prey on the uncertainty and anxiety of individuals in figuring out how and when they will be vaccinated. Each state has its own rollout plan, and these plans frequently change depending on the number of allocated vaccines and how they will be distributed and administered. Unfortunately, whenever there is confusion in communication, fraudsters and scammers are at their best.

It has been widely reported that there has been an increase in attempted fraud by criminals around COVID-19 vaccinations. These schemes include emails and telephone calls to individuals providing them with information about how they can get vaccinated in advance of their scheduled time. Fake websites are set up for appointments where the criminals request individuals to input their personal information, including their name, date of birth, address and Social Security number, in order to secure a vaccination time slot.

In addition, there are some reports about a black market springing up around COVID-19 vaccinations and that scammers are luring victims to pay for vaccinations with the promise that, if they pay, they can jump the line to receive it. Unfortunately, it is very tempting, and many people are falling for it.

It has become such a problem that the Federal Trade Commission (FTC) has provided a warning and guidance to consumers about these widespread scams and how to protect oneself from them. The most basic tip is not to provide your personal, financial or health information to anyone who texts, calls or emails you regarding a COVID-19 vaccination. The FTC confirms in its warning that no legitimate healthcare site, provider or other entity that is distributing and administering vaccines will ask for this information in order for you to sign up for a vaccination when it is your turn.

As we have reported before, be very vigilant about requests to click on any links or attachments or to provide any personal information in the context of COVID-19, including around the vaccine or getting vaccinated. For more information, visit the FTC’s guidance here.

January 27, 2021, was a BIG win for law enforcement in the efforts to combat cybercrime. U.S. and European law enforcement agencies announced that through joint efforts and cooperation on “Operation Ladybird,” computer servers and the infrastructure that has been used by the criminals behind Emotet to victimize individuals and organizations through phishing schemes and distributing vicious strains of ransomware such as Ryuk were seized and are now out of the control of the cybercriminals. Emotet has been described as a cybercrime-as-a-service program because it is a pay-per-install botnet.

According to reports, Emotet has been used by criminals to defraud victims of millions of dollars through extortion and data theft, and the U.S. Department of Homeland Security has estimated that it has cost U.S. state and local governments up to $1 million per incident following an Emotet infection. Investigators have estimated that more than one million Microsoft Windows systems are currently affected by Emotet infections, so the take down is particularly important for those already-infected systems.

According to Europol, “The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale.”

This win doesn’t mean that the criminals behind Emotet can’t rebuild and continue to wreak havoc in the future, but slowing them down a bit is helpful in combatting cybercrime and the protection of individuals’ and companies’ data.

The New York Department of Financial Services (DFS), which regulates certain covered entities and licensed persons in the financial services sector doing business in New York, recently provided guidance to its regulated entities that the annually required Certificate of Compliance with the DFS Cybersecurity Regulations must be submitted no later than April 15, 2021.

To find out whether a company is covered by the DFS Cybersecurity Regulations, DFS has established a portal to search applicable regulated entities. The portal also is used to file the annual certification. According to DFS, “All Covered Entities and licensed persons who are not fully exempt from the Cybersecurity Regulation are required to submit a Certificate of Compliance no later than April 15, 2021, attesting to their compliance for the 2020 calendar year.”

The publication further states that “if a Covered Entity or licensed person has an exemption that is still valid, they do not need to file a new Notice of Exemption in 2021.”

For more information on the DFS Cybersecurity Regulation requirements, click here.