OUR PICKSA Cyber Threat to U.S. Drinking Water | Overly Broad Terrorist Watchlist Poses National Security Risks | How Terrorists Exploit Humanitarian Organizations, and more
· A Cyber Threat to U.S. Drinking Water
The Iranian threat to U.S. drinking water systems is a microcosm of what’s wrong with cybersecurity in the U.S. today—and what’s needed to fix it
· ‘The Opposite of Politics’: A Conservative Legal Scholar Says Kicking Trump Off the Ballot Is ‘Unassailable’
J. Michael Luttig explains why he thinks the 14th Amendment should prevent Trump from running for president again
· Chinese Chip Import Concerns Prompt US to Review Semiconductor Supply Chain
National security concerns grow over Chinese-sourced chips
· Chinese Still Largest Group of Foreign Students in US
Despite a slight dip, China is still the leading country of origin for foreign students pursuing an education in the U.S.
· Overly Broad Terrorist Watchlist Poses National Security Risks, Senate Report Says
The Watch Lis is uncoordinated and too broad, a dynamic that pose risk to national security
· Congress Set to Extinguish Pentagon’s Anti-Domestic Extremism Working Group Created After Jan. 6
A Pentagon working group established to provide recommendations for rooting out extremism in the ranks is set to be defunded
· Two Canadians Who Police Link to Neo-Nazis Face Terrorism Charges
The defendants were members of the Active Club, the purpose of which is to create a “standby militia” that can be activated to create violence on behalf of neo-Nazi causes
· Aiding Terror: How Terrorists Exploit Humanitarian Organizations
Aid has become a lifeline for terrorist groups, enabling their deadly attacks
A Cyber Threat to U.S. Drinking Water (Jacob Horne and Jim Dempsey, Lawfare)
In March 2023, the Environmental Protection Agency issued a memo warning that cyber-attacks against public water systems were increasing. These attacks, the EPA said, have the potential to disable or contaminate the delivery of drinking water to Americans. While some public water systems had taken important steps to improve their cybersecurity, many systems had “failed to adopt basic cybersecurity best practices and consequently are at high risk of being victimized by a cyber-attack,” including by state-sponsored actors, according to the EPA.
Almost immediately, several Republican state attorneys general, joined by the American Water Works Association and National Rural Water Association, petitioned for review. They argued that the memo was a legislative rule issued in violation of the Administrative Procedure Act and that it exceeded the EPA’s statutory authority. The operational technology now essential to the delivery of safe drinking water, the plaintiffs argued, did not fit within the terms of the existing rule covering “equipment” and “operations” and “the distribution of safe drinking water.” The collection of cybersecurity information would, the trade associations argued, expose the water systems to higher risk of cyberattack.
In July, 2023, without opinion, the Eight Circuit granted the plaintiffs’ motion for stay of the memorandum pending disposition of the petition for review. In October, the EPA rescinded the March memo, citing the litigation.
Now the FBI, the Cybersecurity and Infrastructure Security Agency, NSA, the Israeli National Cyber Directorate, and the EPA are warning in a joint advisory that since at least Nov. 22, 2023, cyber actors from Iran’s Islamic Revolutionary Guard Corps (IRGC) have been actively targeting and compromising operational technology used in American water and wastewater systems. The compromised devices (specifically, Israeli-made Unitronics programmable logic controllers) were publicly exposed to the internet with default passwords. The agencies recommend—but they can only recommend, since the EPA memo has been revoked—three actions that water systems could take “today to mitigate malicious activity.”
Those actions are to implement multifactor authentication, use strong, unique passwords, and check installed equipment for default passwords. Sure enough, these are identical to three of the first four items that the EPA had recommended in a cybersecurity checklist issued alongside its March 2023 memo: “Require multi-factor authentication.” “Require a minimum length for passwords.” “Change default passwords.” (Cont.)
