The Week in Cybersecurity: U.S. mandates federal agencies use secure third-party software tools

Welcome to the latest edition of The Week in Cybersecurity, which brings you the newest headlines from both the world and our team about the most pressing topics in cybersecurity.

This week: A new U.S. federal government memo mandates the federal use of secure third-party software products and services. Also, Twitter whistleblower Mudge Zatko reveals new details of the company’s security practices (or lack thereof) with Congress.

This week’s top story

White House OMB memo mandates federal agencies secure their software products

Over a year ago, the Biden Administration released its famous Executive Order (14028) on Improving the Nation’s Cybersecurity, which called for the National Institute of Standards and Technology (NIST) to release guidance on secure software development. Now, several months later, the Office of Management and Budget (OMB) is following suit in complying with the Executive Order.

Yesterday, The White House shared that the OMB issued a memo calling upon the heads of executive departments and agencies to comply with NIST’s guidance in an effort to secure software utilized by the federal government. The guidance states that federal agencies can only use software that “complies with secure software development standards,” allowing the federal government to “quickly identify security gaps when new vulnerabilities are discovered” according to The White House.

The memo is applicable to any third-party software used by federal agencies that works to maintain the federal government’s information systems. However, the memo does not apply to software developed by the federal government itself. Instead, the memo strongly recommends that government-developed software follows NIST’s guidance.

It’s important to note that the memo does call for a two-way street. Equally responsible to the memo are federal agencies and departments, which can now only use software provided by software producers that can attest to complying fully with the NIST guidelines.

While this memo does not apply to all private sector software providers, this mandate does help to encourage that more software be developed securely. The software providers who are the fastest to comply with this memo will be the ones to secure a spot as one of the federal government’s software vendors. Software providers who fail to keep up with the NIST guidance however will lose the federal government as a paying customer.

News Roundup

Here are the stories we’re paying attention to this week…

Twitter whistleblower reveals employees concerned China agent could collect user data (Reuters)

Mudge Zatko, a famed hacker who served as Twitter's head of security until his firing in January, said some Twitter employees were concerned that the Chinese government would be able to collect data on the company's users.

New PsExec spinoff lets hackers bypass network security defenses (BleepingComputer)

Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a single, less monitored port, Windows TCP port 135.

FBI warns of unpatched and outdated medical device risk (Security Week)

A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads.

CISA has released its Strategic Plan for 2023-25 (CISA)

The Cybersecurity and Infrastructure Security Agency’s (CISA) 2023-2025 Strategic Plan is the agency’s first, comprehensive strategic plan since CISA was established in 2018. This is a major milestone for the agency: It will focus and guide the agency’s efforts over the next three years.

SparklingGoblin APT hackers using new Linux variant of sidewalk backdoor (The Hacker News)

A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant. ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed SparklingGoblin.

A new international Joint Cybersecurity Advisory warns of Iranian-backed cybercriminals (CISA)

Several U.S. federal agencies and departments, along with similar agencies from Australia, Canada, and the U.K. have released a Joint Cybersecurity Advisory highlighting continued malicious cyber activity by APT actors that they assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).