The Cybersecurity Agency’s (CSA) Critical Infrastructure
Security Operations Center reported its first detection of a cybersecurity
attack on one of the covered private sector entities that it was protecting.
The CI-SOC reported detecting a large data exfiltration from an unnamed medical
device manufacturer in the Illinois. They were not able to stop the information
from leaving the country.
General Buck Turgidson (ret), Director of CI-SOC, told
reporters at a morning news conference that the CI-SOC was monitoring incoming
and outgoing digital traffic from the research facility and noted the large (20
giga-bites) data transmission from the site to a server in Guangdong, China. “Our
agreement with the affected company allows us to monitor, but not control, the
flow of information to and from the facility,” Turgidson said; “By the time we
were able to contact someone at the facility, the information was long gone.”
When asked if the CI-SOC knew what information had been
exfiltrated, Turgidson reported that they had a copy of the affected files, but
were not able to discuss what information was included due to the memorandum of
understanding between CSA and the affected facility. A source at CI-SOC that
was not authorized to talk to the press said that the information included
design details about a new COVID-19 virus testing device the company was
working on.
Asked whether the current understaffing at the new
cybersecurity facility was responsible for the data exfiltration not being
stopped, Turgidson replied with an emphatic no. “Most of the data monitoring is
done by automated systems,” he explained; “There was a staffer here brought
into the loop within minutes of the start of the exfiltration, but the data was
already in China by that point. Even if we had a person in the loop sooner, we
would not have been able to contact the client by the time the data was gone.”
Turgidson replied to a question about the usefulness of the
CI-SOC in this instance by noting that an away team was already enroute to the
facility to help the client determine how the attack had started and to prevent
any further information from being removed from the facility. “The earlier a
forensic examination of the systems can be started, the more we can limit the
damage,” he explained: “If this was the result of a new type of attack, the
gathering of information on the mode of the attack may allow us to stop future
attacks at other facilities.”
Johnathan Quest, spokes person for the Federal Bureau of
Inquiry told this reporter that the FBI was aware of the incident and had a forensic
investigation team enroute to the facility to work with the CI-SOC team.
Rep. Tucker Watts, Jr. (R,GA) said that he was concerned
with the inability of the CI-SOC to prevent the valuable data from leaving the
country. “What good is all of the money that we are spending on that facility
if it can only tell us that a cybercrime has happened? I expect that the
appropriate committees will be investigating this incident when we return to
session in September.”
No comments:
Post a Comment