Federal cyber officials aren’t seeing a significant change in attacks tied to Iran since the conflict there began, at least not yet, but they are on the lookout for any uptick and are focusing on the Stryker attack in particular.

Terry Kalka — director of the Defense Industrial Base Collaborative Information Sharing Environment at The Defense Department’s Cyber Crime Center — said Thursday that “there’s some basic indicators, there’s some known” tactics, techniques and procedures, but “we’re not seeing a tremendous amount of impact yet.”

That sentiment aligns with what the acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, told reporters on Tuesday: “We still are seeing a steady state. We have not seen an increase or any rise of threat actor activity.”

But both men said they’re monitoring to see if that changes. “We are very much on the alert for, if not Iran, Iran-influenced actors,” Kalka told CyberScoop at the Elastic Public Sector Summit.

On Thursday, CISA issued recommendations tied to this month’s cyberattack on medical device maker Stryker, the most eye-catching cyber activity with Iran links after an Iranian hacking group known as Handala claimed credit for the attack.

CISA urged organizations to improve their defenses of endpoint management systems after the attack caused global disruptions to Stryker’s Microsoft environment. CISA made several recommendations , including to set up safeguards in Microsoft’s Intune endpoint management tool.

Stryker has contracts with the Defense Department.

“We’re all paying attention to the Stryker incident that broke last week, because there are implications there for communications technology and private information or corporate information that, even if it’s not defense Information, getting access to someone’s email and understanding the infrastructure of the company is very, very useful,” Kalka said.

Andersen said CISA has been in touch with Stryker, as has the FBI. On Thursday, it was reported that the FBI and the Justice Department took down two websites linked to Handala.

Andersen said the agency’s approach doesn’t change much because of the conflict, however.

“We just can’t take our eyes off of the fact that other adversaries continue to make maneuvers in this space,” he said at an event hosted by Auburn University’s McCrary Institute. “Cybercriminal groups continue to make moves within this space. It was not just about one nation-state at one particular point in time. We see persistent motivation across the board for people to be able to take advantage of cyber weaknesses across critical infrastructure and our traditional IT environments.”

CISA has furloughed hundreds of employees as Congress continues a standoff over funding for the Department of Homeland Security over the Trump administration’s immigration enforcement approach.

The post Feds keep eyes peeled for Iran cyberattacks, respond to Stryker breach appeared first on CyberScoop.

The U.S. government shouldn’t rigidly stick to traditional designations about which agency takes the lead on engaging with critical infrastructure sectors, the acting director of the Cybersecurity and Infrastructure Security Agency said Tuesday.

Sector risk management agency designations have long governed which agency is at the forefront of government efforts to protect each of the 16 critical infrastructure sectors, with CISA responsible for eight of them.

“When we look at our sector risk management agency construct, that’s important for a lot of reasons, It’s less important to abide by that strictly and say ‘CISA is the Sector Risk Management Agency for telecommunications,’” CISA’s Nick Andersen said at an event hosted by Auburn University’s McCrary Institute.

Rather, when responding to cyber incidents or undertaking other engagements with the private sector, the question should be who has the best relationship with a certain sector.

“We may have some owner-operators within a certain critical infrastructure sector that maybe the person they’re best positioned to receive resources from is us, or maybe it’s [Department of] Energy, or maybe it’s EPA, or maybe it’s FBI or NSA, or so forth and so on,” he said. “We just have to be comfortable with taking off those blinders and saying, ‘I don’t necessarily need to be in charge all the time no matter who I am. I just need to make sure that this owner-operator has the best partner teed up to lead that engagement.’”

The goal is to avoid another “Guam situation,” where “everybody was racing to Guam the last couple of years like kids chasing a soccer ball,” Andersen said. Guam was the site of critical infrastructure attacks on U.S. military bases that Microsoft pinned on the Chinese hacking group Volt Typhoon in 2023.

An attack on the telecommunications sector from another “Typhoon” group, Salt Typhoon, prompted questions about whether CISA’s hands are too full with all of its sector risk management agency responsibilities. House Homeland Security Chairman Andrew Garbarino, R-N.Y., raised concerns last year about how CISA handled its sector risk management agency role for the telecommunications sector after the Salt Typhoon campaign was uncovered.

The post CISA official advises agencies not to get too hung up on who takes lead in critical infrastructure sectors appeared first on CyberScoop.

Artificial intelligence may be enhancing cyber threats, but the defensive approach to those AI-amplified attacks remains the same, a top FBI official said Tuesday.

“We have seen actors both criminal and nation-state, they’re absolutely using AI to their advantage,” said Jason Bilnoski, deputy assistant director at the FBI’s cyber division. “But the way attacks unfold have not changed. Cyberattacks still follow basic steps. It just becomes an incredible speed now.”

The best way to deal with those attacks is to implement all the traditional defenses, like those the FBI has been emphasizing as part of its Operation Winter SHIELD media campaign, he said.

“Don’t worry about the speed and capability” of AI attacks, Biloski said at a Billington Cybersecurity conference. “If you’re focused on the basics, it’ll help prevent the actual intrusion from occurring.”

It’s a message that the acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, also shared at the conference. Sophisticated attackers are out there, he said, but the agency’s recent binding operational directive for federal agencies to get rid of unsupported edge devices was a way of shoring up basic vulnerabilities.

“We continue to see any non-zero-days continuing to be exploited within this environment,” he said. “The very least that we can do is harden that edge and make it just a little bit more difficult to take advantage in that regard.” 

His advice to state and local officials was to take a “back to the basics” approach, such as adopting multi-factor authentication.

Bilnoski offered further warnings about the threat, too.

“Identity is the new perimeter. You’re hunting legitimate traffic on your network,” he said. “So we’re no longer seeing malware drop. We’re no longer seeing these very noisy TTPs [tactics, techniques and procedures]. It’s legitimate credentials moving laterally throughout the network, as if it’s a legitimate user on the network. You need to hunt the adversaries as if they’re already on your network, because that’s the type of activity you’re looking for.”

The post FBI says even in an AI-powered world, security basics still matter appeared first on CyberScoop.

The chief information officer at the Cybersecurity and Infrastructure Security Agency announced his departure Tuesday, ending his nearly five-year run at CISA.

Robert Costello, an 18-year veteran of the Department of Homeland Security, posted about the move on LinkedIn.

“Serving as CIO at CISA has been one of the greatest privileges of my career,” he said. “Together, we strengthened our cybersecurity posture, modernized critical systems, and built capabilities that will endure. I am incredibly proud of what we accomplished as a team.”

Costello’s tenure had recently grown turbulent, with conflicting accounts of whether the since-departed acting director of CISA, Madhu Gottumukkala, had tried to force him out. Costello last week received transfer orders for possible reassignment to another agency.

Costello had supporters on the Hill and elsewhere, with House Homeland Security Chairman Andrew Garbarino, R-N.Y., saying as recently as last month that it was good that an earlier reported attempt to move Costello out of the CISA CIO job had fallen short.

As CIO at the agency, Costello advocated for top-notch tech as a recruiting boon. He has been involved in efforts to respond to vulnerabilities within CISA. He has sometimes served as a public face for the agency at events, has touted new tools designed to enhance CISA services and has argued for greater use of artificial intelligence in his role.

“Throughout my career at CISA, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement (ICE), and in the United States Air Force, I have been guided by a commitment to protecting our nation and advancing the greater good,” Costello said. “It has been the honor of a lifetime to serve alongside public servants whose integrity and professionalism set the standard.”

Costello did not indicate his future plans beyond leaving the federal government and a “commitment to service and to this nation.”

Costello’s move isn’t the only recent shakeup at the agency. CISA recently got a new acting director, Nick Andersen, to replace Gottumukkala after the former acting director left for a DHS headquarters post, as the nomination of Sean Plankey to lead CISA continues to stall. The acting chief human resources officer, Kevin Diana, also reportedly received transfer orders.

The post CISA CIO Robert Costello exits agency appeared first on CyberScoop.

Madhu Gottumukkala is out as acting director of the Cybersecurity and Infrastructure Security Agency, with current agency executive director for cybersecurity Nick Andersen replacing him as the interim leader.

News of Gottumukkala’s departure breaks one day after CyberScoop reported on widespread dismay with the agency’s performance during the first year of the Trump administration, with significant criticism aimed at Gottumukkala’s leadership on both sides of the aisle after a number of unflattering stories about his stewardship.

“Madhu Gottumukkala has done a remarkable job in a thankless task of helping reform CISA back to its core statutory mission,” a Department of Homeland Security official told CyberScoop Thursday. “He tackled the woke, weaponized, and bloated bureaucracy that existed at CISA, wrangling contracts to save American taxpayer dollars.”

Gottumukkala, served as chief information officer under then-South Dakota Gov. Kristi Noem, now secretary of DHS, before he was picked as deputy director of the agency. Sean Plankey’s nomination to serve as full-time director of CISA has stalled, leaving Gottumukkala as the acting director in his place.

Gottumukkala will take on a new role at DHS, as director of strategic implementation. Andersen has won more favorable reviews from industry and cyber professionals during his tenure at CISA than did Gottumukkala, whom some still praised for his technical acumen.

ABC News first reported the news on the Gottumukkala and Andersen moves. The news comes the same day as reports about another leadership change at the agency, with Cybersecurity Dive first reporting on the exit of Robert Costello as CISA CIO.

While some officials CyberScoop spoke to for its story about CISA this week believed the agency had some duplication, most thought the Trump administration had cut far deeper than needed, damaging the agency. 

Andersen has held several IT and cybersecurity roles in the public sector over the past two decades, including positions at the Coast Guard, Navy and Department of Energy.

The post Gottumukkala out, Andersen in as acting CISA director appeared first on CyberScoop.

A revised government-industry council devoted to critical infrastructure protection could be set up to have broader and more specific discussions on things like cybersecurity and threats to hardware and software that monitor and control industrial processes, known as operational technology (OT).

A top official at the Cybersecurity and Infrastructure Security Agency (CISA), Nick Andersen, said Tuesday he couldn’t share a timeline yet for the replacement of the Critical Infrastructure Partnership Advisory Council, which the Homeland Security Department disbanded to private sector dismay last year.

But he said the replacement, details of which CyberScoop was first to report, was trying to solve a number of problems with the original council (CIPAC).

“Old CIPAC never made any explicit focus on cybersecurity, that just wasn’t part of what was chartered back in the day when it was originally launched,” Andersen, executive assistant director for cybersecurity, told reporters at an event hosted by the Information Technology Industry Council (ITI).

“Additionally, it didn’t give us the opportunities for having focus groups to have conversations [about] like undersea cables, might be a good example. OT systems might be a good example,” he said. “OT had to nest itself under the IT Sector Coordinating Council in the past. There’s real opportunities for us to improve, opportunities for elements of the community that didn’t necessarily have opportunities to engage in a substantive way in the past, to give them a voice in the process.”

Further considerations, sources have told CyberScoop, include things like liability protections and how transparent the panel’s proceedings should be.

It was one of a number of topics discussed at the ITI event on the intersection of government, industry and cybersecurity.

Andersen told reporters he couldn’t provide a timeline for development of an artificial intelligence information sharing center (AI-ISAC), first proposed by the Trump administration as part of its AI Action Plan.

But he spoke at the event about pitfalls he hoped an AI-ISAC would avoid. Key, he said, would be to avoid having a government-established entity that ran parallel to, rather than in coordination with, industry efforts.

The administration wants to “take the opportunity to get that relationship right,” Andersen said.

The post What’s next for DHS’s forthcoming replacement critical infrastructure protection panel, AI information sharing appeared first on CyberScoop.