After hacks, Transcom to require contractors to report data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://defensesystems.com/articles/2014/09/18/us-transcom-china-contractor-hacks.aspx

After being kept largely in the dark as suspected Chinese hackers spent a
year breaking into the networks of some of its contractors, the U.S .
Transportation Command will now require its contractors to report any
suspected breaches.

The Senate Armed Services Committee released a report Sept. 17 saying that
at least 20 successful hacks were committed against airline, IT and
shipping companies between June 2013 and May 2013. The Transportation
Command was told of only two of them.

As a result of that report and the investigation that preceded it, the
command will now contractually require its vendors to report breaches, Air
Force Gen. Paul Selva, who leads the command, told Bloomberg.

In all, there were about 50 hacks or other cyber incidents within that
year-long period, according to the report. At least 20 were successful
intrusions resulting from an advanced persistent threat, and all of them
were traced to China. An advanced persistent threat has a somewhat nebulous
definition (some security experts frown on using the term at all) but it
has been applied to a sophisticated, organized attack aimed at stealing
information, or, in another sense, an attacker with the expertise and
resources to carry out sophisticated attacks.

The hacks could have exposed sensitive information on the movement of
troops and equipment, potentially disrupting military operations. Transcom
handles logistics for the military and makes liberal use of private-sector
services. More than 90 percent of personnel movement is handled by private
airlines and more than one-third of bulk cargo is shipped via private
companies, according to the report.

The lack of information sharing was as much a focus of the Senate committee
as the hacks themselves, with Sen. James Inhofe (R-Okla.) calling for the
creation of a central clearinghouse for reporting cyber incidents, Reuters
reported.

Currently, security breach notification laws vary by state. All but a
handful require notification if a breach results in the loss of personal
information, but the laws don’t require reporting for every kind of breach.
Although several bills containing notification requirements have been
introduced in Congress, there is no federal law as yet.

Contractors are a frequent target of hackers, particularly those working
for nation-states, because their network defenses presumably aren’t as
tight as those of military organizations. And in some fields, industry
holds military technology secrets that other nations would find valuable.
In July, the Justice Department arrested a Chinese businessman and charged
him with working with two hackers between 2009 and 2013 to steal secrets on
Boeing’s F-35 fighter, the military’s most expensive weapons program. China
this year unveiled a new stealth jet that’s remarkably similar to the F-35.

The businessman, Su Bin, was the sixth Chinese national charged by Justice,
though the first actually taken into custody. In May, Justice filed cyber
espionage charges against five officers in a unit of the Third Department
of the People’s Liberation Army—the equivalent of the National Security
Agency—in relation to cyber attacks on the nuclear power, metals and solar
power industries. Researchers for the security company CrowdStrike a month
later reported they had traced a series of other attacks involving U.S. and
European defense, satellite and aerospace industries to another PLA hacking
unit.

The Senate investigation, meanwhile, found that the Chinese military had
hacked into a Transcom contractor‘s network between 2008 and 2010 and
gained access to “emails, documents, user passwords and computer code,"
according to the report. A separate intrusion in 2012 compromised the
systems aboard a commercial ship contracted by Transcom.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!