Category Archives: Cybersecurity

Ghosts in the Clouds: Inside China’s Major Corporate Hack — WSJ

A Journal investigation finds the Cloud Hopper attack was much bigger than previously known

“In one of the largest-ever corporate espionage efforts, cyberattackers alleged to be working for China’s intelligence services stole volumes of intellectual property, security clearance details and other records from scores of companies over the past several years. … ”

More at

As China Hacked, U.S. Businesses Turned A Blind Eye – NPR

Technology theft and other unfair business practices originating from China are costing the American economy more than $57 billion a year, White House officials believe, and they expect that figure to grow.

Yet an investigation by NPR and the PBS television show Frontline into why three successive administrations failed to stop cyberhacking from China found an unlikely obstacle for the government — the victims themselves.

In dozens of interviews with U.S. government and business representatives, officials involved in commerce with China said hacking and theft were an open secret for almost two decades, allowed to quietly continue because U.S. companies had too much money at stake to make waves. …

More at NPR

Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication

“… The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer. …”

More at

Chinese Hackers Breach U.S. Navy Contractors – WSJ

WASHINGTON—Chinese hackers are breaching Navy contractors to steal everything from ship-maintenance data to missile plans, officials and experts said, triggering a top-to-bottom review of cyber vulnerabilities….

More @ WSJ

DOD Just Beginning to Grapple with Scale of Vulnerabilitie (GAO-19-128: Published: Oct 9, 2018)

In recent cybersecurity tests of major weapon systems DOD is developing, testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected. …

More at GAO

Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War

“Today, various parts of the Department of Defense (DoD) and the Intelligence Community (IC) are generally aware of cyber and supply chain threats, but intra- and inter-government actions and knowledge are not fully coordinated or shared. …
This report examines options that span legislation and regulation, policy and administration, acquisition and oversight, programs and technology. …”

More at MITRE

Supply Chain Risk Management Reliability Standards

A Proposed Rule by the Federal Energy Regulatory Commission …

The Federal Energy Regulatory Commission (Commission) proposes to approve supply chain risk management Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization, submitted the proposed Reliability Standards for Commission approval in response to a Commission directive. In addition, the Commission proposes that NERC develop and submit certain modifications to the supply chain risk management Reliability Standards.

More at

Final Report of the Defense Science Board (DSB) Task Force on Cyber Supply Chain

Attached is the final report of the Defense Science Board Task Force on Cyber Supply Chain. The task force assessed the organization, missions, and authorities that encompass the use of microelectronics and components in Department of Defense (DoD) weapons systems. Continue reading

Final Rule re: “Department of Defense (DoD)’s Defense Industrial Base Cybersecurity Activities”

“This final rule responds to public comments to the interim final rule published on October 2, 2015. This rule implements statutory requirements for DoD contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support….”

More at