Tag Archive for: Scrutiny

Advising both Chinese state companies and the Pentagon, McKinsey & Co. comes under scrutiny

/in


In a 2020 federal court filing related to McKinsey’s advisory role in a bankruptcy case, the firm cited its connection to COSCO. That same year, the shipping company said in a press release that it had received advice from McKinsey.

As part of China’s “Belt and Road Initiative,” COSCO has been pouring Chinese government money into ports around the world and other logistics hubs. COSCO in recent years has bought a majority stake in the Greek port of Piraeus, invested in a new container terminal in the United Arab Emirates, and purchased a major stake in the Peruvian port of Chancay.

COSCO is among a core of state-owned enterprises that are part of the country’s defense industrial base and are given special status by the ruling Chinese Communist Party, according to regional analysts. The company has provided logistical support to the Chinese navy’s escort operations in the Gulf of Aden and experts say it serves as the maritime logistical arm for the People’s Liberation Army (PLA).

Meanwhile, McKinsey advised the U.S. Navy on plans to modernize its network of naval shipyards.

McKinsey, which set up business in China in the 1990s, says on its website it employs more than 1,000 people at six offices across the country and has carried out more than 1,500 “engagements” with Chinese clients in the past five years.

According to McKinsey, the firm’s work in China is carried out through a separate legal entity and most of its consulting does not involve state-owned enterprises (SOEs).

“The vast majority of that work is for the private sector, including with U.S. and other multinational companies. Our limited work with SOEs focuses on the same core commercial and operational topics on which we serve other major corporations,” Grace, the company spokesperson, said.

The company declined to discuss its work with specific Chinese clients, including those that appear on U.S. government blacklists.

Grace said McKinsey follows an extensive internal policy to evaluate potential clients and does not serve political parties anywhere in the world or defense, intelligence, justice or policing institutions in countries with low rankings on the Economist Intelligence Unit’s Democracy…

Source…

T-Mobile Faces Regulatory Scrutiny After Hack

/in


A Federal Communications Commission probe into the hack of

T-Mobile US Inc.

is the agency’s first high-profile cyber inquiry under a Biden administration that has promised to more aggressively police companies’ security standards and privacy safeguards.

The hack, which T-Mobile disclosed on Monday, hit a communications sector in which cyber oversight is spread across federal agencies, including the FCC, which has taken a largely hands-off approach to data security in recent years. But U.S. officials this year have signaled a new willingness to use regulatory power to shore up the cyber defenses of critical infrastructure.

“Telecommunications companies have a duty to protect their customers’ information,” an FCC spokeswoman said on Wednesday, declining to comment further.

A T-Mobile representative didn’t respond to a request for comment on the inquiry.

The FCC’s cybersecurity guidelines are largely voluntary, with agency officials producing recommendations for best practices. The Transportation Security Administration took a similar approach to pipeline cyber standards until the hack of Colonial Pipeline Co. in May. Since then, the agency has rolled out first-of-their-kind regulations, including a requirement that pipeline operators report cyberattacks.

While the T-Mobile hack didn’t disrupt U.S. communications networks, the company said on Wednesday that hackers stole personal data like Social Security and driver’s license numbers on about 48 million people.

The Federal Trade Commission has investigated other personal data breaches, including the 2017

Equifax

hack that concluded with a settlement of at least $575 million. The agency, which in…

Source…

Under Scrutiny, Big Ag Scrambles To Address Cyber Risk

/in


At first glance, the LinkedIn post from a UK based security researcher was unremarkable: a photo of vendor swag – a hat, iron-on patch and gym bag he received as a “thank you” for participating in the company’s bug bounty program and reporting software flaws in a company’s products. 

What was remarkable was the company logo on the swag: the distinctive yellow stag set against the bright green of agricultural equipment giant John Deere. A handwritten note to the researcher, Sai Ganesh (@ganiganeshss79), thanked him for his participation in Deere’s bug bounty program, which is hosted by the bug bounty platform HackerOne. It was signed “The John Deere Security Team.” 

The Trustworthy Computing Memo Lands On The Farm

In 2021, such gestures are commonplace in the software industry. It has been 16 years since TippingPoint Technologies (now part of 3COM) launched its Zero Day Initiative – one of the first “cash for vulnerabilities” programs. In the intervening years, hundreds of firms have followed suit including giants like Microsoft, Yahoo and Facebook, as well as device makers like Samsung and car makers GM and Tesla. 

Tech industry firms, in 2021, draw attention to their programs for rewarding researchers with cash – sometimes lots of it – and company swag for finding and reporting software flaws in their technology. The vulnerability disclosure market is expected to grow in value from $223m annually in 2020 to more than $5 billion by the end of the decade. 

So far, however, that revolution passed over the agriculture sector, which makes Deere’s sudden about-face all the more remarkable. Despite employing more software developers than mechanical design engineers, according to its CTO, Deere – as late as March – did not have a public vulnerability disclosure program for researchers like Ganesh to partake in. On the MITRE-maintained list of Common Vulnerabilities and Exposures (CVE), the company still does not have a single, publicly disclosed software vulnerability to its…

Source…

The Cybersecurity 202: Congressional scrutiny heats up of government response to the SolarWinds hack

/in


Russian actors were able to exploit a vulnerability in SolarWinds products and other software to infiltrate the networks of at least eight government agencies and potentially thousands of other companies and governments around the world.

Testifying before the panel will be former cybersecurity officials Chris Krebs, Sue Gordon and Michael Daniel as well as cybersecurity expert Dmitri Alperovitch.

Lawmakers will be looking for answers as to why, despite significant investments in federal network security, Russians managed to lurk unnoticed in government systems for months. Lawmakers are working with other key committees to learn more about the campaign, Thompson says.

Also likely to come up is a recent hack of a Florida town’s water supply, a committee spokesperson said. The attempted poisoning of the water supply by a hacker has raised alarm about serious vulnerabilities in U.S. critical infrastructure.

“Today we will be discussing what I hope will be a bipartisan endeavor making cyberspace more secure and networks more resilient, Thompson said in a statement to The Cybersecurity 202. Thankfully, after four years, Congress now has a willing and able cybersecurity partner in the White House. I am optimistic about the progress we can make but we must work quickly to make up for lost time.

Other cybersecurity leaders in Congress are cranking up pressure on Biden to better coordinate investigative efforts.

Leaders of the Senate Intelligence Committee say President Biden’s intelligence leaders need to get their act together when it comes to coordinating a response to the attack.

The briefings we have received convey a disjointed and disorganized response to confronting the breach, Sen. Mark R. Warner (D-Va.), chairman of the Senate Select Committee on Intelligence and vice chair Sen. Marco Rubio (R-Fla.) wrote to agency leaders. Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks.

The pair urged the agencies to pick a leader who has the authority to coordinate the response, set priorities, and direct resources to where they are…

Source…