Cyber
The Next Frontier

Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.

View Full Curriculum

The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.

Learn More

 

The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.

Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.

 

Program News

DoD Cyber Scholarship Program (CySP)

The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.

Cyber News

Thursday, March 28, 2024 - 14:03
Plan to resuscitate beleaguered vulnerability database draws criticism 

The federal official in charge of a crucial vulnerability database that has recently gone mostly dark said Wednesday that she hoped the formation of a consortium would improve the repository, a move that some experts immediately criticized as too slow to address an urgent problem.

In mid-February, the National Institute of Standards and Technology stopped providing key metadata for many vulnerabilities in its National Vulnerability Database, which cybersecurity professionals describe as a critical tool for computer security functions globally and whose absence could result in dangerous vulnerabilities going unfixed.

Tanya Brewer, who manages the National Vulnerability Database program, said at a conference on Wednesday that a notice forthcoming in the Federal Register in the next two weeks will announce the process for forming an outside consortium to help improve the database.

Compared to other resources of its kind, “NVD is not the best database,” Brewer said. If it was, “I would not be putting together a consortium asking industry to help make it better,” she said at VulnCon in Raleigh, N.C. “There’s a lot of room for the NVD to improve, and I think we have the capability to be a much better database than we are.”

Planned improvements in the next one to five years include offering customizable alerts and new data types, as well as developing a way to partially automate analysis of Common Vulnerability and Exposures or CVEs, a glossary of vulnerabilities, Brewer said. 

Brewer did not offer a detailed explanation about what led to the reduced activity on the database, chalking it up to a long story that amounts to “administrivia,” a growing volume of data submitted to the database and budget cuts affecting her agency. 

Since early 2020, email traffic related to the database has tripled while staff size has remained flat, never rising above 21 people at any point, Brewer said. The program isn’t equipped to receive massive amounts of data either, she said, such as “Common Platform Enumerations” or CPEs — a naming scheme for software products.

“One of my short-term goals for the consortium I’m standing up is to build a system that will let manufacturers give us just big dumps of CPE data,” she said. Now, if someone offers to give the program 74,000 CVEs, the answer would be, “‘Oh please don’t,’” Brewer said. “But in a year’s time, I want the answer to be, ‘Yes, please.”

Until the formation of the consortium, the NVD program office is reallocating personnel and working with other agencies toward “fixing the current problem,” she said. In the meantime, she said the office is still “taking care of priority things,” such as responding to vulnerabilities on a Cybersecurity and Infrastructure Security Agency so-called “must patch” list or Microsoft’s Patch Tuesdays.

Cybersecurity professionals have been pushing for NVD to resume its normal operations in recent months. A recent open letter to Secretary of Commerce Gina Raimondo and members of Congress that was signed by two dozen security professionals called on the U.S. government “to ensure NIST is provided with the necessary resources to not only resume normal operations of this critical service but to also improve it further to resolve extant issues that preceded the February 2024 service degradation.”

Dan Lorenc, the co-founder and CEO of Chainguard who helped organize the letter, said Brewer’s proposal to form a consortium was insufficient.

“While I appreciate hearing directly from NIST regarding the situation involving NVD, the comments do not inspire confidence in a timely resolution,” he said.

A consortium isn’t the answer, he said, because “adding layers of governance and bureaucracy can slow things down, which does not instill confidence. While I believe there’s room for industry to collaborate with NIST, I believe that a single entity should clearly own and operate NVD, especially given its critical role as a source of truth for the federal government.”

Jerry Gamblin, a principal engineer at Cisco Threat Detection & Response, said he was hopeful about the consortium making a difference.

“They weren’t able to analyze all CVEs before the slowdown, so I hope the consortium can help them get to 100% coverage,” he said via email. “We don’t have new data we can share, but what we are seeing essentially maps to public reporting about the number of CVEs left unanalyzed. We understand that NIST is aware of the problem and the concerns — and is working diligently to modernize NVD.”  

A consortium could be another six to nine months away from forming, though, said Tom Alrich, who leads the OWASP SBOM Forum project. That’s “not exactly a solution to the problem,” he said. While Alrich said he was sympathetic to the program’s difficult situation, he was frustrated about the lack of specificity about what had caused the problem in the first place. 

The post Plan to resuscitate beleaguered vulnerability database draws criticism  appeared first on CyberScoop.

Wednesday, March 27, 2024 - 16:25
CISA releases draft rule for cyber incident reporting

In one of the biggest cybersecurity policy reforms in recent memory, the Cybersecurity and Infrastructure Security Agency on Wednesday released its much-anticipated notice of proposed rulemaking to require critical infrastructure organizations to report cybersecurity incidents, a move intended to provide the federal government with better insight about breaches that affect highly sensitive entities, such as water and power utilities. 

Wednesday’s notice of proposed rulemaking (NOPR) represents the next step in a process that began after the Cyber Incident Reporting for Critical Infrastructure Act was signed into law in March 2022. That law was inspired in part by the SolarWinds hack, which made clear the lack of information available to the federal government about breaches affecting critical infrastructure entities. It also represents one of the first steps by CISA to take on a more regulatory role that the agency has tried to avoid.

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly in a statement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”

Under the rules, companies will have to report incidents less than 72 hours “after the covered entity reasonably believes the covered cyber incident has occurred” and ransomware payments within 24 hours of being made, unless payment is accompanied by an incident, in which case the organization has 72 hours.

While they contain a series of detailed carve-outs, the rules generally require companies to report incidents that impact safety, lead to a disruption of services or if the breach was carried out through a third party like a cloud service provider.

In a media briefing Wednesday, a senior CISA official noted that the agency is working on a way to share anonymized data with researchers. While cyberattacks on critical infrastructure systems are believed to be legion, researchers lack good data about their prevalence, and many experts hope that CIRCIA’s incident reporting requirement can fill this lacuna in the data.  

According to the proposed rules, CISA plans to use the data it receives to carry out trend and threat analysis, incident response and mitigation, and to inform future strategies to improve resilience. 

While the rule is not expected to be finalized until 18 months from now or potentially later next year, comments are due 60 days after the proposal is officially published on April 4. One can be sure that the 16 different critical infrastructure sectors and their armies of lawyers will have much to say. The 447-page NOPR details a dizzying array of nuances for specific sectors and cyber incidents.

For example, companies would only be required to report a distributed denial of service attack if it results in a service outage for an extended period. One that results in a “brief period of unavailability,” however, would not need to be reported. 

The list of exceptions to the cyber incidents that critical infrastructure operators will need to report is around twice as long as the conditions that require reporting an incident, and the final shape of the rule may change as CISA considers comments from industry.  

The companies affected by the proposed rules include all critical infrastructure entities that exceed the federal government’s threshold for what is a small business. The rules provide a series of different criteria for whether other critical infrastructure sectors will be required to report incidents. Some will be covered in their entirety, such as the chemical sector. Other critical infrastructure sectors, such as the information technology sector, will qualify based on criteria laid out in the framework. 

Indeed, the rules governing the information technology sector could have a wide reach, as CISA is proposing that any organization that sells “IT hardware, software, systems, or services” to the federal government be required to report incidents. 

CISA’s proposed rules represent the latest entrant in a complicated regulatory landscape governing when companies are required to report cybersecurity incidents. Last year, the Securities and Exchange Commission mandated that publicly traded companies report “material” breaches to investors — a move Rep. Andrew Garbarino, R-N.Y., chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, sought to quash because it conflicts with CISA’s remit. 

Harmonizing these various reporting requirements represents a key challenge facing executive branch policymakers. While CISA’s rules are aimed at critical infrastructure organizations that experience cyber-related disruptions, the SEC regulations affect publicly traded companies. These reporting requirements may in some cases overlap, and many experts see them as a compliment to one another rather than in conflict. Additionally, CISA’s rules require much more detailed information be disclosed about breaches.

CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.

Ranking member of the House Committee on Homeland Security Bennie Thompson, D-Mass., and Rep. Yvette Clark, D-N.Y., said in a joint statement that they’d like to see a reduction in compliance costs so that additional resources can be invested in security. 

While the list of covered entities list might appear long — CISA said it expects around 350,000 to be required to report — the size-based criteria  and sector-specific rules might leave major gaps, according to Josh Corman, founder of the I Am the Cavalry and former chief strategist of CISA’s COVID Task Force.

Corman has spoken frequently about the surprising number of small organizations that, if impacted, could have posed serious risks to the nation’s COVID-19 response. “It’s not the size of the organization,” Corman said in an interview. “It’s the size of the harm to the national critical functions and critical infrastructure.”

That concern is heightened by recent warnings from U.S. national security officials that China is carrying out increasingly aggressive operations targeting American critical infrastructure. 

Corman argues CISA could have relied on the list of systemically important critical entities that the agency has developed — which are the most critical of critical entities that may fall outside what is considered critical infrastructure — in order to ensure better coverage.

Corman pointed to the proposal’s treatment of hospitals as a major flaw: Under the rule,  facilities with fewer than 100 beds are not required to report incidents, even though just a small number of hospitals are above that threshold. Hospitals that are considered a “critical access” — which are largely rural — would also be required to report.

The proposed rules contend that larger hospitals “are more likely” to experience “substantial impact” and that “larger hospitals are likely to be better equipped to simultaneously respond to and report a cyber incident.”

Corman also pointed out that the categories of critical infrastructure entities are based on sector-specific plans that have not been updated since 2015. “CISA did not even exist in 2015,” Corman said. “How can a sector-specific plan written almost 10 years ago be the basis for us getting our head around the proper focus and implementation as planned?”

Other experts questioned whether entities have the financial resources to implement the requirements. The rules require community water systems and water treatment services that serve more than 3,300 people to report incidents, and experts question whether these entities can implement proper security measures — let alone spot and report breaches. 

Chris Warner, an operational technology security strategist at the security firm GuidePoint, described what he encountered at one water utility in Florida: “They were so small they had three IT guys handling the OT security and we all know … 99% of the time that doesn’t work at all.”

The post CISA releases draft rule for cyber incident reporting appeared first on CyberScoop.

Wednesday, March 27, 2024 - 13:53
Treasury report calls out cyber risks to financial sector fueled by AI

The financial services industry could be increasingly vulnerable to cyber-enabled fraud perpetrated by threat actors leveraging artificial intelligence tools, according to a Treasury Department report released Wednesday that examines AI-specific cyber risks to the critical infrastructure sector.

The report, led by Treasury’s Office of Cybersecurity and Critical Infrastructure Protection to fulfill a requirement in President Joe Biden’s AI executive order, delivers no cyber-related mandates to the financial services sector, nor does it recommend or argue against the use of AI in the industry’s work. But the report, based in part on interviews with representatives from 42 financial services and tech-related companies, provides warnings to the industry at large about AI’s potential to worsen fraud while also sharing best practices and AI use cases for cyber and fraud prevention.

“Artificial intelligence is redefining cybersecurity and fraud in the financial services sector, and the Biden administration is committed to working with financial institutions to utilize emerging technologies while safeguarding against threats to operational resiliency and financial stability,” Under Secretary for Domestic Finance Nellie Liang said in a statement. “Treasury’s AI report builds on our successful public-private partnership for secure cloud adoption and lays out a clear vision for how financial institutions can safely map out their business lines and disrupt rapidly evolving AI-driven fraud.”

The fear of an uptick in cyber-enabled fraud is fueled by increased accessibility to emerging AI tools, the report notes, giving threat actors an “advantage by outpacing and outnumbering their AI targets,” at least initially. 

To combat that advantage, the report pushes financial institutions to “expand and strengthen their risk management and cybersecurity practices to account for AI systems’ advanced and novel capabilities, consider greater integration of AI solutions into their cybersecurity practices, and enhance collaboration, particularly threat information sharing.”

Managing AI-related cyber risks should be akin to best practices in the protection of IT systems, the report said. Several of the participating financial institutions told the report’s authors that their current practices match elements of the National Institute of Standards and Technology’s AI Risk Management Framework, though “many also noted that it is challenging to establish practical and enterprise-wide policies and controls for emerging technologies like Generative AI.”

Other financial sector report participants said they were developing AI-specific risk management frameworks in-house, many of which are guided by the principles laid out in NIST’s RMF as well as the Office for Economic Cooperation and Development’s AI principles and the Open Worldwide Application Security Project’s AI security and privacy guide.

But the experimentation with and development of financial firms’ in-house AI systems and frameworks underscores “a widening capability gap” between the biggest and smallest companies in the sector.

“One firm has stated that it has approximately 400 employees working on fraud-prevention AI systems, and AI service providers noted being approached with thousands of use cases by larger firms,” the report said. “Smaller firms report that they do not have the IT resources or expertise to develop their own AI models; therefore, these firms solely rely on third-party or core service providers for such capabilities.”

Many financial institution participants said they believed AI adoption was important because of the technology’s potential to “significantly improve the quality and cost efficiencies of their cybersecurity and anti-fraud management functions.” Among the ways in which cyber threat actors can utilize AI, the report specifically called out social engineering, malware and code generation, vulnerability discovery and disinformation. Cyberthreats to AI systems include data poisoning, data leakage, evasion and model extraction. 

The automation currently used by financial institutions for “time-consuming and labor-intensive anti-fraud and cybersecurity-related tasks” will likely be enhanced by generative AI “by capturing and processing broader and deeper data sets and utilizing more sophisticated analytics.” Technologies of that kind, the report added, can also enable financial firms to take on “more proactive cybersecurity and fraud-prevention postures.” 

Going forward, the financial services sector relayed that it would be helpful to have “a common lexicon” on AI tools to aid in more productive discussions with third parties and regulators, ensuring that all stakeholders are speaking the same language. Report participants also said their firms would “benefit from the development of best practices concerning the mapping of data supply chains and data standards.”

The Treasury Department said it would work with the financial sector, as well as NIST, the Cybersecurity and Infrastructure Security Agency and the National Telecommunications and Information Administration to further discuss potential recommendations tied to those asks.

In the coming months, Treasury officials will collaborate with industry, other agencies, international partners and federal and state financial sector regulators on critical initiatives tied to AI-related challenges in the sector. 

The post Treasury report calls out cyber risks to financial sector fueled by AI appeared first on CyberScoop.

Wednesday, March 27, 2024 - 06:00
Spyware and zero-day exploits increasingly go hand-in-hand, researchers find

Researchers tracking the exploitation of previously undisclosed vulnerabilities found that commercial spyware firms are increasingly responsible for leveraging such zero-day flaws against mobile phones and other consumer-oriented devices, according to a report published Wednesday.

The joint report from Google’s Threat Analysis Group and Google-owned Mandiant determined that in 2023, spyware produced by commercial surveillance vendors (CSVs) were responsible for 64% of known exploited mobile and browser zero-day vulnerabilities.

“We have all seen the harms that are being caused towards society from these CSVs, and we are still seeing them playing some of the biggest roles in in-the-wild zero-days that are discovered against end-user devices,” said Maddie Stone, security engineer at Google TAG. “Overall we’re definitely seeing it on an upward trajectory on the end-user space for CSVs.”

Wednesday’s report comes against the backdrop of a Biden administration push to crack down on spyware abuses, following ever-expanding revelations about buyers using the tech to eavesdrop on U.S. government personnel overseas, journalists and activists.

The White House has banned U.S. government agencies from using spyware from using spyware that poses a threat to U.S. national security, has convinced a number of U.S. allies to pledge to use spyware responsibly and is looking to sign up additional countries to the pact. 

Wednesday’s zero-day report tallied 97 total zero-day vulnerabilities exploited “in the wild,” meaning those being used in the real world rather than discovered as part of theoretical research. Of those, 37 were mobile and browser vulnerabilities, and spyware firms were responsible for 24 of those, according to the analysis. Three-quarters of the known zero-day spyware exploits targeted Google products and Android devices and 55% targeted iOS and Safari.

“Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” the report states. “CSVs operate with deep technical expertise to offer ‘pay-to-play’ tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual’s device.”

Spyware’s easy ability to hand all-in-one powerful surveillance tools to those who purchase it might account for the spike in numbers, but it also might point to the cybersecurity world getting better at catching wind, Stone said, noting that the report tallies the exploits the researchers have seen rather than necessarily accounting for all exploits used.

The 97 exploited zero-day vulnerabilities is a rise from 2022’s tally but short of the record of 106 in 2021. The report highlighted improvements by tech companies to fend off zero-days. 

Other findings of the report include increased targeting of third-party components and enterprise products; China continuing to be the most prolific state user of zero-day exploits; and the first known instance of reportedly Belarusian-linked espionage groups making use of zero-day vulnerabilities.

The post Spyware and zero-day exploits increasingly go hand-in-hand, researchers find appeared first on CyberScoop.

Tuesday, March 26, 2024 - 15:30
Chinese hackers target family members to surveil hard targets

When American prosecutors unsealed an indictment Monday describing a sprawling Chinese hacking campaign, they revealed that when Beijing’s hackers are determined to infiltrate a person’s digital life, few targets are off the table — including family members.

According to the indictment, between 2015 and 2024, a Chinese hacking group known as APT 31 that is linked to China’s Ministry of State Security targeted thousands of U.S. and Western politicians, foreign policy experts, academics, journalists and democracy activists. In many cases, the group focused its efforts on politicians that the Chinese government “perceived as being critical of PRC government policies.”

These are generally individuals who are aware of the risk that China will try to surveil them using digital means and have tried to lock down their digital systems in response. But the same cannot always be said of their family members, and according to Monday’s indictment, the APT 31 hackers used malicious email messages sent to family members of their actual targets as a reconnaissance tool.  

These emails were not necessarily laced with harmful malware or used in traditional phishing attacks; rather, they included tracking links that, if clicked, revealed a host of information about the target user, including their location, browser and operating system, the device they used, their IP address and schematic details for their network. The hackers used this reconnaissance to enable what the indictment describes as “more direct and sophisticated” targeting of devices such as routers belonging to high-ranking U.S. government officials, politicians and campaign staff. 

According to Michael Raggi, a principal analyst at Mandiant and Google Cloud, this kind of targeting is not unheard of but still relatively rare.

“I would say from my experience, targeting the families of political individuals in the West by actors like APT 31 is not something that I have seen with regularity in the threat landscape,” Raggi said.

Chinese efforts to control speech abroad increasingly relies on manipulating family relationships in creative ways. 

Last year, the U.S. Department of Justice indicted more than 40 individuals who were allegedly part of a scheme by the Chinese Ministry of Public Security to use thousands of fictitious social media personas to attack and harass Chinese nationals living in the United States who had criticized the Chinese government. 

Dakota Cary, a nonresident fellow at the Atlantic Council’s Global China Hub, placed this kind of targeting into two buckets. The first is when China goes after dissident groups with family in and around China. In that case, the family members may be both a means to reach their ultimate target and a target in their own right for harassment or intimidation.

The second bucket is “people who have incredibly high security awareness” and would otherwise count as hard security targets. This would include government officials, politicians and other groups like those targeted by APT 31. In this instance, going after members of the family or home networks may be an easier pathway to compromise than trying to hack the individual or their telecommunications provider.

“I think it’s clear to see that family is explicitly on the table for China, whether that’s to get through the family to a specific target or go after the family themselves,” Cary, who is also a China-focused consultant for the cybersecurity firm SentinelOne, told CyberScoop.

This strategy was detailed in a report last year by the U.S.-China Economic and Security Review Commission, which describes broader efforts by the Chinese government to conduct “coercion-by-proxy” of both internal and external critics through “harassment, hacking, attempted kidnapping, online disinformation campaigns” of family members living abroad.

Raggi cautioned that the APT 31 operations described in Monday’s indictment are distinct from broader efforts by Beijing to intimidate or coerce critics abroad. Raggi described the use of tracking links as likely “the first step in a more technical attack chain targeting a politically exposed individual.” 

The tracking links used by APT 31 are the same kind that legitimate organizations, such as marketing agencies, might use to track engagement with their emailed content, Raggi added. A user’s click wouldn’t convey the kind of information that would necessarily make it easier to compromise a target’s home router or help them pivot to gain access to a victim’s email.

Targeting family members represents just one of the creative ways that the Chinese government targets high-value individuals. According to Monday’s indictment, in some cases APT 31 operators posed as prominent journalists from CNN, Vox and other media outlets to send emails to U.S. government officials that purported to contain excerpts and links to legitimate news articles that were in fact tracking links. 

Other close associates, like employees and staff, can also provide an easier pathway to compromising an individual. Stewart McDonald, one of three members of British Parliament targeted by APT 31, noted in a press conference this week that a hacking group linked to Russia was able to gain access to his email account last year by first breaking into the personal email account of one of his staffers and using it in a phishing attack.

 “That doesn’t get talked about enough,” McDonald said.

The post Chinese hackers target family members to surveil hard targets appeared first on CyberScoop.