Friday Five: CISA’s Own Security Incident, Open-Source Security Worries, & More

CISA: MOST CRITICAL OPEN SOURCE PROJECTS NOT USING MEMORY SAFE CODE BY BILL TOULAS

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other organizations published a report on memory safety in 172 key open-source projects. They found that over half contain memory-unsafe code, with 55% of total lines of code being memory-unsafe, with critical projects like Linux and Tor having high proportions of unsafe code. CISA recommends using memory-safe languages like Rust, Java, and GO for new code, transitioning existing projects to these languages, and following safe coding practices. Developers are said to often use memory-unsafe languages due to performance needs, and some even disable safety features, increasing risks. Continuous testing and careful dependency management are advised to address these issues.

Read more

HOUSE PANEL ABRUPTLY CANCELS FEDERAL PRIVACY BILL VOTE BY TIM STARKS

A House panel canceled plans to act on the American Privacy Rights Act due to disagreements with Republican leadership and opposition from key interest groups. The bill, which had bipartisan support, faced objections from House GOP leaders and concerns from businesses and civil rights groups. Rep. Frank Pallone (D) criticized the interference, expressing commitment to continue working with Chair Cathy McMorris Rodgers on the bill, both of whom emphasized the importance of privacy rights online. House Speaker Mike Johnson also supported greater online privacy control. Civil rights groups celebrated the decision, calling for safeguards against data discrimination.

Read more

CISA INFRASTRUCTURE TOOL TARGETED IN JANUARY BREACH, AGENCY SAYS BY DAVID DIMOLFETTA

CISA confirmed in a recent blog post that its Chemical Security Assessment Tool (CSAT) was targeted by hackers between January 23 and 26, allowing potential access to sensitive information, though no data exfiltration was found. The accessed data may include past security assessments of chemical facilities among other sensitive information. The intrusion involved an advanced webshell on Ivanti VPN products, leading CISA to shut down the system and later instruct federal agencies to disconnect from Ivanti products, underscoring the importance of incident response plans. CSAT, part of the Chemical Facility Anti-Terrorism Standards program established post-9/11, had lapsed in July, reducing its current data relevance.

Read more

DHS HIGHLIGHTS AI AS A THREAT AND ASSET TO CRITICAL INFRASTRUCTURE IN NEW PRIORITY GUIDANCE BY ALEXANDRA KELLEY

The Department of Homeland Security (DHS) is focusing on artificial intelligence (AI) and other emerging technologies under its 2024-2025 Strategic Guidance and National Priorities for U.S. Critical Infrastructure Security and Resilience plan. The guidance aims to enhance the security and resilience of critical infrastructure, such as the electrical grid and transportation systems, against AI-related risks. DHS emphasizes the dual role of AI in both posing risks and aiding in cybersecurity efforts. The guidance also highlights concerns about quantum computing, which could threaten current encryption methods. CISA will lead efforts to address these risks, as outlined in the upcoming 2025 National Infrastructure Risk Management Plan.

Read more

US BUSINESSES STRUGGLE TO OBTAIN CYBER INSURANCE, LAWMAKERS ARE TOLD BY CHRISTIAN VASQUEZ

At a House Homeland Security Committee hearing, experts and industry representatives highlighted the challenges U.S. businesses face in obtaining cybersecurity insurance. Kimberly Denbow from the American Gas Association noted the limited availability and complexity of cyber insurance policies for natural gas utilities. Meanwhile, Matthew McCabe from Guy Carpenter & Company mentioned that the increasing prevalence of state-sponsored cyberattacks on critical infrastructure raises concerns about coverage exclusions for acts of war. High premiums and lack of consistent terminology have led to calls for a federal "backstop" to guarantee large-scale insurance losses, though such a measure has not yet been enacted. DHS officials emphasize the need for resilient critical infrastructure against persistent cyber threats.

Read more