This week we cover some of Biden’s Cybersecurity Order and a few 5G related developments.
Biden’s Cybersecurity EO: Encrypted data at rest for me, why not thee?
On the heels of the Colonial Pipeline, Microsoft Exchange Server, and SolarWinds incidents, the White House has issued a new Executive Order that seeks to protect federal government networks. At over 8000 words, it deals with everything from revising USG contracts to facilitate threat information sharing, to implementation of zero-trust architecture, creation of a cybersecurity safety board, securing software supply chains, and improving federal network management including vulnerability identification, logging, endpoint detection, and incident response for both unclassified and national security systems.
We’ll focus here on just one of those topics – implementation of a zero-trust architecture (ZTA), including MFA and encrypting data at rest. While MFA adoption is growing, one interesting thing is the differing recommendations emerging from various parts of the USG on encrypting data at rest. NIST 800-207 explains how ZTA moves defenses from static, network-based perimeters to focus on users, assets, and resources. ZTA is grounded in two principles:
- No implicit trust granted to assets or user accounts based solely on their physical or network location.
- Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.
While data certainly is a resource, encrypting data at rest is not explicitly mentioned in NIST 800-207. However, when looking at DoD guidance and now the Executive Order, encrypting data at rest is an explicit component of proposed organizational architecture.
In the past few years, DOD has published several documents charting its expanded use of ZTA, including the DOD Digital Modernization Strategy, DISA Strategic Plan, and recently the DOD Zero Trust Reference Architecture. The DOD approach to ZTA cites NIST work and provides additional rationalization for the approach. Specifically, it assumes a hostile environment, and presumes breach. Because the network is assumed compromised, a “data centric security model” is necessary that denies access to all users by default, allowing access by authenticated, authorized exception. While such a strategy cannot entirely prevent an adversary from executing the standard playbook of stealing credentials, elevating privileges and exfiltrating data, it does make it more difficult because every attempt to access an encrypted data resource is validated.
Federal agencies have been urged to move to security based on zero trust principles for more than a decade. (NIST, 2020) But the new EO mandates “secure cloud infrastructure” for any contracted services: “Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
CISA recently released best practice guidance in response to the Colonial ransomware incident. It highlights MFA for remote access but makes no mention of encrypting data at rest. The lack of mentioning it seems odd especially since more than one ransomware threat actor has allegedly threatened to release data it has exfiltrated. Yes, implementing MFA will help reduce unauthorized access to organizational resources. But CISA has recommended granular access control for agency high value data/assets. Additional authentication and authorization controls to make data ostensibly useless to the adversary is an important thing to consider in addition to other defense techniques.
Many private actors are already governed by industry standards (e.g., PCI-DSS) or legislation (e.g., HIPAA) to address encrypting certain kinds of data at rest. Major commercial cloud platforms all offer encrypted data at rest solutions. Obviously victims’ threat models can differ, and encrypting data at rest may not be practical for some subset of victims, but that’s a decision that can be made case by case. It doesn’t mean the practice shouldn’t be recommended by CISA, especially when it’s a key new component of the USG’s approach to cybersecurity.
Huawei, ZTE Left Out of India’s 5G Trials; China Threatens Retaliation against Ericsson unless Sweden Revokes Ban
India’s Department of Telecommunications (DoT) has approved applications of Reliance Jio, Bharti Airtel, Vodafone Idea and state-run Mahanagar Telephone Nigam Limited (MTNL) to conduct a sixth-month trial for the use of 5G technology in the country. The telecom providers will partner with Ericsson, Nokia, Samsung, Centre for Development of Telematics (C-DOT) for the trials. Additionally, Reliance Jio will be conducting trials using its own indigenous technology.
Notably absent from the list of approved partners are Huawei and ZTE which currently supply a significant amount of equipment and technology to India’s mobile providers. Although the omission of the two major Chinese firms from the list of approved partners is not the same as an official ban, their exclusion from the 5G trials signals India’s hardening stance against China.
Having designated Huawei and ZTE as “national security threats” last year, the U.S. has welcomed India’s decision. Michael McCaul, US House Foreign Affairs Committee Lead Republican, and the China Task Force Chairman hailed India’s decision as “good news for the people of India and the world.” The China Task Force report released last year had called for the US government to work with partners and allies, like India, to ensure “Communist Party-controlled” companies do not have access to their 5G networks. More recently while choosing not to comment directly on the development, State Department spokesperson Ned Price emphasized that the U.S remains “deeply concerned about the dangers of installing networks with equipment that can be manipulated, disrupted or potentially controlled by the PRC (People’s Republic of China).” Meanwhile, CISA, in coordination with the National Security Agency, and the Office of the Director of National Intelligence have only offered up potential threat vectors to 5G infrastructure.
The Chinese Embassy in Delhi has issued a statement expressing “concern and regret” and urging India to “provide an open, fair, just, and non-discriminatory investment and business environment for market entities from all countries, including China.” While the Chinese response to India’s decision has been muted so far, China’s increasingly aggressive stance on bans against Chinese companies suggests an escalation is not out of the question.
In Sweden, home to Ericsson and one of the few European countries to ban Chinese firms in their national 5G roll-out – China is fighting back. The Swedish Post and Telecom Authority’s (PTS) decision has been challenged by Huawei and a ruling is expected shortly. Following the ban, Beijing had threatened to retaliate against Swedish companies doing business in China, including Ericsson and its largest shareholder, Investor AB. With that threat and China accounting for 8% of sales versus 1% from Sweden, Ericsson’s chief executive criticised the ban.
Last week, Ericsson received an invitation for 5G equipment testing from China’s four major telecom operators. Simultaneously, the Global Times, a Chinese state media outlet, served up yet another reminder that Ericsson’s involvement in the 5G equipment test is linked to the revocation of the ban on the participation of Chinese firms in Sweden’s 5G rollout. As noted by the WSJ, the warning in Chinese state media is yet another example of Beijing using the heft of its domestic market to protect its business and foreign-policy interests. It remains to be seen if Sweden will reconsider the ban, however one thing is certain – China is fighting back.