Sector Specific

The FDA Finally Suggests Meaningful Action to Secure Medical Devices

by James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology Healthcare depends on the crucial medical devices essential for the treatment and diagnosis of illness and disease. The Food and Drug Administration (FDA) regulates over 190,000 different devices, which are manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide. Digital .. read more

What the Health Sector Needs to Know About Cryptocurrency Technologies, Blockchain, and Cryptojacking Attacks

by James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology While the Bitcoin and the cryptocurrency trend may turn out to be a massive bubble, the underlying technology and innovation could forever alter the digital landscape of the health sector [1]. Until 2016, cybersecurity and cyber-hygiene were stagnant in the health sector. The lackadaisical vulnerable .. read more

The Orangeworm Mystery Plaguing the Health Sector

by James Scott, Co-Founder and Sr. Fellow, ICIT The International healthcare community is currently beleaguered by an obscured adversary with illusive motives. Supply chain attacks on healthcare providers, pharmaceutical companies and medical sector information technology solution providers and equipment manufacturers via phishing emails first emerged in January 2015. The majority of the hundred attacks remain .. read more

National Security Depends on the Utilization of the MGT Act

by James Scott, Sr. Fellow, ICIT Nearly three-quarters of the $80 billion annually spent on federal IT systems is allocated towards the upkeep and maintenance of outdated and vulnerable legacy systems. The majority of these systems predate the Internet, many were “Frankensteined “together ad hoc from technologies that are now older than those tasked with .. read more

ICIT Analysis: The CLOUD Act – Immediate Passage of the CLOUD Act Ensures Unambiguous Protection of Privacy and National Security

The CLOUD Act is meaningful bipartisan legislation that will empower U.S. law enforcement and authorities in countries that enter into agreements with the government to quickly access essential evidence stored in servers owned by companies that are based in the United States, provided that there is probable cause and warrant to access that information. With .. read more

Equifax: The Hazards of Dragnet Surveillance Capitalism Part 2: Just Another Data Breach? Or C-Suite Criminal Negligence?

The reckless handling of data collected in capitalistic dragnet surveillance has developed into a national security and privacy epidemic.  The Equifax breach should epitomize the consequences of negligent data brokerage and serve as a wake-up call to similar organizations who profit from dragnet surveillance and the employment of psychographic and demographic Big Data algorithms. In .. read more

ICIT Analysis – Equifax: America’s In-Credible Insecurity – Part One

A catastrophic breach of Equifax’s systems was inevitable because of systemic organizational disregard for cybersecurity and cyber-hygiene best practices, as well as Equifax’s reliance on unqualified executives for information security. While Equifax has proven itself to be a compromised, irresponsible data custodian, Experian, TransUnion, and other data brokers may be just as vulnerable, irresponsible, and .. read more

ICIT Analysis: The Graham-Klobuchar Amendment Can Secure Election Infrastructure

Election integrity is a non-partisan issue that merits significant bipartisan support. Multiple players are capable of exploiting the vulnerabilities present in the often insecure, black-box proprietary code and unsecurable, antiquated legacy technology upon which U.S. election tabulation infrastructure relies. The Graham-Klobuchar Amendment aims at achieving Secure State Election Infrastructure through a Federal-State collaborative commission of .. read more

HHS’ HCCIC Takes a Quantum Leap Forward to Secure the Health Sector

HHS is aggressively working with industry to introduce organizational cybersecurity resiliency to the Health Care Industry and move organizations away from self-regulating, checkbox-driven security standards which provide little more than security theatre.  The Healthcare Cybersecurity and Communications Integration Center (HCCIC), HHS’s new cybersecurity intelligence-sharing clearing-house, is a major step toward this goal and acts as .. read more

ICIT Analysis: The Cyber Shield Act

Industry experts and federal agencies such as NSA, NASA and NIST have repeatedly pushed for the implementation and standardization of the bare essentials of Information Security, such as security-by-design, cyber-hygiene training, and layered defenses, to be recognized as crucial topics on the Hill.  The Cyber Shield Act is an excellent idea for improving informed consumer .. read more

ICIT Analysis – S.J. Res. 34 – Introduction of Privatized Censorship

With S.J.Res.34, every citizen will have massive amounts of their data exposed when their ISP or a nebulous third-party intentionally or inadvertently fails to adequately secure the information. By drastically expanding that collection, storage, and exchange of data with a few short lines of legislation, Congress has jeopardized the security and privacy of every citizen, every .. read more

ICIT Analysis: How to Crush the Health Sector’s Ransomware Pandemic

The health sector is the most vulnerable, most targeted, and resoundingly least equipped to defend against hackers who are pummeling healthcare organizations with ransomware attacks.   This ransomware epidemic will only become more severe and costly as the infection volume in 2017 will trump infections in 2016. In this post, entitled “How to Crush the .. read more

Cybersecurity in Non-Profit and Non-Governmental Organizations

Non-Profit and Non-Government Organizations (NGOs) rely greatly on the use of information technology for both their operations and innovative strategic program initiatives.  In a sense, they are no different than any small, medium or large-scale enterprise with regard to computing.  Keeping information confidential and free from integrity and privacy challenges as well as ensuring their .. read more

ICIT Analysis: Hacking Elections is Easy! Part 2: Psst! Wanna Buy a National Voter Database? Hacking E-Voting Systems Was Just the Beginning

The United States election process has been at risk since the widespread adoption of electronic voting (e-voting) systems in 2002-2006. Despite the fact that researchers have spent the past decade demonstrating that Direct Recording Electronic (DRE) and optical scanning systems from every manufacturer are vulnerable along numerous attack vectors, our Nation is still plagued with .. read more

ICIT Brief – Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims

Despite being the most at-risk and perpetually breached critical infrastructure sector in the Nation, virtually all health sector organizations refuse to evolve their layered security to combat a hyper evolving threat landscape. As a result, when a healthcare system is breached and patient records are stolen, the entire brutal impact of the incident that resulted from .. read more

ICIT Analysis: Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures

True democracy relies on the reliability of the democratic process. The “Help America Vote Act”, passed in 2002, ushered in an era of uncertainty by proliferating the use of electronic voting systems vulnerable to cyber, technical and physical attack. More often than not, electronic voting systems are nothing but bare-bone, decade old computer systems that .. read more

ICIT Brief – The Energy Sector Hacker Report: Profiling the Hacker Groups that Threaten our Nation’s Energy Sector

Among our Nation’s critical infrastructures, the Energy Sector is a primary target for exploitation by nation state and mercenary APTs, hacktivists, cyber jihadists and other hacker teams. Although the nation’s socioeconomic survival depends on the energy sector to deliver energy to the homes and businesses that support life, business operations, and critical systems, it was .. read more

ICIT Report: Utilizing the NSA’s CSfC Process- Protecting National Security Systems with Commercial Layered Solutions

The acceleration of State Sponsored and Mercenary APT cyber-attacks, each of which possess new and more innovative layering of stealth and sophistication, has triggered a much needed response by the National Security Agency’s (NSA) Information Assurance Directorate (IAD). A more expedient path to technology approval has been introduced for qualified organizations. As a result, the .. read more

ICIT Analysis: FDA Guidance on Medical Device Cyber Security

This Institute for Critical Infrastructure Technology blog post, entitled “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle “Suggestions” May Not Be Enough” is an objective analysis of the recent Food and Drug Administration (FDA) “Draft Guidance for Industry and Food and Drug Administration Staff.” The guidance advises medical device manufacturers to address .. read more

ICIT Brief: Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn from the OPM Breach

Among all of America’s critical infrastructures, the healthcare sector is the most targeted and plagued by perpetual persistent attacks from numerous unknown malicious hackers. The goal of these threat actors is to exploit vulnerabilities in insecure and antiquated networks in order to exfiltrate patient data for financial or geopolitical gain. In order to protect patient .. read more

ICIT Brief: Who’s Behind the Wheel? Exposing the Vulnerabilities and Risks of High Tech Vehicles

The July 2015 remote hack of a Jeep Cherokee by security researchers from IOActive served as a catalyst which made vehicle cybersecurity a top priority for the automotive industry, consumers and lawmakers.  Since then, Chrysler has recalled 1.4 million Jeeps to patch vulnerabilities and lawmakers have proposed various pieces of legislation to address cybersecurity in vehicles, including the  Security and Privacy .. read more

ICIT Talking Points: “Is the OPM Data Breach the Tip of the Iceberg?” – for the House Committee on Science, Space and Technology

Throughout June 2015, the United States Office of Personnel Management failed to adequately answer inquiries from the American people, Congress, and Federal agencies, concerning the two breaches of its systems that have left the granular personal information of 22.1 million United States Citizens in the hands of an unidentified adversary.  After review of the July .. read more

Legislative Brief “Moving Forward: How Victims Can Regain Control & Mitigate Threats in the Wake of the OPM Breach”

In June 2015, the Nation learned that the personnel records of 21.5 million United States citizens had been exfiltrated by an unknown adversary from the Office of Personnel Management, one of the largest known breaches in the history of the U.S. Government.  The immediate public outcry included congressional hearings attributing the breach to OPM administrators and .. read more

Preparing the Battlefield: The Coming Espionage Culture Post OPM Breach

As part of its continued analysis of the OPM breach, ICIT’s most recent brief entitled “Preparing the Battlefield: The Coming Espionage Culture Post OPM Breach” discusses the significant impact the breach will have on America’s national security.  The large number of victims, many of whom hold security clearances, combined with the personal nature of the information stolen gives .. read more

ICIT Brief: OPM Demonstrates that Antiquated Security Practices Harm National Security

The Institute for Critical Infrastructure Technology has published its official analysis of the Office of Personnel Management breach, Handing Over the Keys to the Castle: OPM Demonstrates that Antiquated Security Practices Harm National Security.  This research brief provides insights on several of the most important aspects of the breach, some of which are not being .. read more

Brief: Keeping Smart Cities Smart – Preempting Emerging Cyber Attacks in U.S. Cities

The Institute for Critical Infrastructure Technology, working closely with IOActive and other Fellows, has published its latest legislative briefing titled “Keeping Smart Cities Smart: Preempting Emerging Cyber Attacks in U.S. Cities“.   As more and more U.S. cities adopt ‘smart’ technologies,  America finds its urban centers  increasingly at risk for cyber-attacks which could bring entire .. read more