Category: Agency News

The Federal Bureau of Investigation (FBI )— in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners — have released a joint Cybersecurity Advisory Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure.

This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) associated with Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) cyber actors, both during and succeeding their deployment of the WhisperGate malware against Ukraine.

These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. The authoring agencies encourage organizations to review this advisory for recommended mitigations against such malicious activity.

Cyber threats to systems that provide essential services such as banking and health care are growing.

A 2022 law required the Department of Homeland Security to take several actions to address these threats.

The first set of requirements for DHS included proposing a rule that identifies which infrastructure operators have to report about cyber incidents. DHS proposed the rule in March 2024. According to DHS, access to cyber incident reports could help it improve its prevention of and response to cyber threats.

DHS also met requirements related to specific programs, and to its coordination of federal cybersecurity efforts.

What GAO Found

The Department of Homeland Security (DHS) has implemented the 13 requirements from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the act) that were due by March 2024. Specifically, DHS's Cybersecurity and Infrastructure Security Agency (CISA) submitted a proposed rule related to cyber incident reporting requirements to the Federal Register in March 2024, and it was published in April 2024. DHS plans to issue the final rule by October 2025. In addition, the department implemented the remaining 12 requirements (see figure). As a result of these efforts, DHS should be better positioned to coordinate the federal government cybersecurity and mitigation efforts more effectively, as intended by the act. Additionally, DHS should be better positioned to assist entities with defending against cyber incidents on the critical infrastructure.

Extent to Which the Department of Homeland Security (DHS) Implemented 13 Applicable Cyber Incident Reporting for Critical Infrastructure Act of 2022 Requirements

DHS identified a variety of challenges in implementing the act and is taking steps to address them. These challenges are related to harmonizing cyber incident reporting requirements, addressing cyber incident review responsibilities, and facilitating a more efficient method for federal agencies to begin sharing cyber incident reports. DHS noted that it has taken several mitigation steps to address these challenges, such as (1) identifying four recommendations for federal agencies and three proposals to Congress to address duplicative reporting requirements; (2) updating its technologies; and (3) hiring additional staff to facilitate the review, analysis, and sharing of reports. If implemented effectively, the four recommendations and three proposals can further mitigate challenges and help standardize incident reporting.

Why GAO Did This Study

Cybersecurity incidents involving critical infrastructure sectors—the sectors whose assets, systems, and networks provide essential services—cost the United States billions of dollars annually and cause significant disruptions. To provide increased visibility into the growing cyber threats to critical infrastructure, Congress and the President enacted a law on cyber incident reporting. This law calls for DHS to address 13 requirements by March 2024, including publishing a proposed rule for certain entities to submit reports on cyber incidents and ransom payments to DHS.

The law also includes a provision for GAO to report on the implementation of the act. This report (1) examines the extent to which DHS has implemented the act's requirements and (2) describes efforts DHS has made to identify and mitigate challenges with meeting the act's requirements.

To do so, GAO identified 59 requirements in the act that DHS was responsible for implementing. Of those, 13 requirements were due by March 2024. GAO organized the requirements into four categories: proposed rule for reporting requirements, cyber incident reporting council, ransomware pilot program, and joint ransomware task force. GAO then analyzed the department's implementation of the 13 requirements. GAO also summarized documentation and testimonial evidence regarding challenges DHS faced in implementing the act's requirements and its mitigation plans.

CISA and the Federal Bureau of Investigation (FBI) have released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start.

An organization’s acquisition staff often has a general understanding of the core cybersecurity requirements for a particular technology acquisition. However, they frequently don’t assess whether a given supplier has practices and policies in place to ensure that security is a core consideration from the earliest stages of the product development lifecycle.

This guide provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle, and resources to assess product security maturity in line with secure by design principles.

This guide compliments the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” that was recently published.

CISA encourages organizations to review both the Secure by Demand Guide and Software Acquisition Guide and implement recommended actions.

It has been over 270 days since President Biden issued his landmark Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” ensuring that the United States leads the world in seizing the promise of Artificial Intelligence (AI) while addressing its risks. Throughout its AI-related efforts, the Department of Homeland Security (DHS) has maintained a clear set of principles and robust governance that prioritizes the protection of civil rights, civil liberties, and privacy, and increased its engagement with affected communities.

Conducted New AI Pilot to Identify and Combat Vulnerabilities in Critical United States Government Software, Systems, and Networks

- As directed in executive order 14110 and on behalf of DHS, the Cybersecurity and Infrastructure Security Agency (CISA) developed, conducted, and completed an operational pilot using AI capabilities to support CISA’s cybersecurity mission in the detection and remediation of vulnerabilities in critical United States Government software, systems, and networks.

- Through this operational pilot, CISA examined whether current vulnerability detection software products that use AI, including large language models, are more effective at detecting vulnerabilities than those that do not use AI.

- The report found that the best use of AI for vulnerability detection currently lies in supplementing and enhancing, as opposed to replacing, existing tools.

- AI tools are improving constantly, and CISA will continue to monitor the market and test tools to ensure CISA’s vulnerability detection capabilities remain state-of-the-art.

Developed an AI International Engagement Plan for Collaboration with Allies and Partners

- DHS developed a comprehensive strategy of engagement on AI and critical infrastructure with our international allies and partners, including, Canada, Mexico, the European Union (EU), and Five Eyes partners covering everything from cybersecurity to transnational infrastructure. This collaborative strategy identifies ways for the United States and its allies to detect, deter, and prevent threats at the nexus of AI, cyber, and critical infrastructure security.

- The efforts outlined in the strategy include sharing lessons learned and threat information, and identifying and collaborating on new opportunities and risks, through existing and novel international forums. DHS will engage across the spectrum with our closest security allies, in support of the Biden-Harris Administration’s AI contact group of nations, multilateral efforts such as the G7 and the Organization for Economic Cooperation and Development, and pivotal bilateral engagements with countries, including those with shared critical infrastructure.

Hired 15 New Experts to the “AI Corps” Who are Helping Responsibly Leverage AI Across DHS Mission Areas

- As part of the Department’s “AI Corps” hiring sprint, DHS has onboarded the first cohort of 15 AI experts from the private and public sectors to play pivotal roles responsibly leveraging AI across strategic mission areas in the Department. The AI Corps is one of the most significant AI-talent recruitment efforts of any federal civilian agency, aiming to hire 50 AI experts to enhance service delivery and impact the homeland security mission while safeguarding privacy, civil rights, and civil liberties.

- AI Corps members are currently working with the DHS Supply Chain Resilience Center to investigate how AI could be used to forecast the impacts of critical supply chain disruptions to public safety and security; working with DHS Science & Technology (S&T) to develop test and evaluation (T&E) requirements across the lifecycle of an AI system; and leveraging generative AI to support the work of the Department’s Homeland Security Investigations (HSI) department to combat fentanyl, human trafficking, child exploitation, and other criminal networks.

- In addition to the AI Corps, the DHS Office of Partnership and Engagement (OPE) hired a new Senior Director for Artificial Intelligence to further build the Department’s engagement on AI across sectors, meeting a commitment outlined in the AI Roadmap and establishing a channel for ongoing stakeholder feedback and information sharing.

Convened the AI Safety and Security Board and Took Steps to Bolster AI Safety and Security

- At the President’s direction, Secretary of Homeland Security Alejandro N. Mayorkas established the AI Safety and Security Board (AISSB), an unparalleled gathering of AI leaders representing prominent companies in the hardware and software industries, AI model labs, critical infrastructure owners and operators, civil rights leaders, and federal, state, and local officials.  The President directed the Board to provide to the Secretary and the critical infrastructure community advice, information, and recommendations on the safe and secure development and deployment of AI.

- The Board convened its inaugural meeting in May 2024. Since then, the Department and the Board have been developing guidance and standards of practices to improve AI safety and security across the AI ecosystem.  The deployment of safe, secure, and trustworthy AI generates consumer trust and fuels adoption and innovation.  AI can substantially improve the services the nation’s critical infrastructure provides, if we secure systems against safety and security threats.

Met with 16 Groups to Better Ensure Civil Rights, Civil Liberties and Privacy Are Protected in AI Adoption

- Through the DHS Artificial Intelligence Task Force, the DHS Office for Civil Rights and Civil Liberties (CRCL), in collaboration with the DHS Privacy Office, leads efforts to develop tailored approaches to provide guidance, risk assessment, mitigation strategies, and oversight for the protection of civil rights and civil liberties in projects championed by the DHS AI Task Force.

- In March 2024, the Department launched the AI Roadmap, which details plans to test uses of the technologies that deliver meaningful benefits to the American public and advance homeland security, while ensuring that individuals’ privacy, civil rights, and civil liberties are protected.

- Under the leadership of the DHS Office of Partnership and Engagement (OPE), the Department is exercising its commitment to ensure increased engagement on the development and deployment of AI with community-based organizations; civil-rights and civil-liberties organizations; academic institutions; industry; State, local, Tribal, and territorial governments; and other stakeholders. Building on an initial series of AI and civil rights engagements led by OPE with DHS leadership in Spring 2024, OPE facilitated engagement for Secretary Mayorkas with civil society leaders to discuss the AI Roadmap. In his engagement, the Secretary emphasized the AI Roadmap’s direction to ensure the responsible and trustworthy use of AI and explicit commitment to continued partnerships and engagement with civil society. The Department has continued to engage with multiple civil society, academic, industry and other organizations to discuss privacy, civil rights, and civil liberties protections and impacts and how they are being addressed through the DHS AI Roadmap.

These efforts build and expand on the Department’s ongoing AI initiatives announced earlier this year to facilitates the safe and responsible deployment and use of AI in federal government, critical infrastructure, and the U.S. economy.

CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) to release an advisory, People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action outlining a PRC state-sponsored cyber group’s activity. The following organizations also collaborated with ASD's ACSC on the guidance:

- The National Security Agency (NSA);

- The Federal Bureau of Investigation (FBI);

- The United Kingdom’s National Cyber Security Centre (NCSC-UK);

- The Canadian Centre for Cyber Security (CCCS);

- The New Zealand National Cyber Security Centre (NCSC-NZ);

- The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV);

- The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC); and

- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA).

The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting.

APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations. APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.

CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.