Major cyber news drops under the buzzer for 2024

Several pieces of cybersecurity news dropped in the lead up to the new year, including further details about the victims of a recent, widespread telecommunications hack, rules to protect sensitive data and an international treaty on cybercrime norms.

Ninth U.S. telecom provider falls victim to Chinese hackers

A ninth American telecommunications provider was ensnared by China-linked cyberespionage group Salt Typhoon, Anne Neuberger, the deputy national security advisor for cyber and emerging technology, said Friday. The update increases the victim count from eight and came after the unnamed firm used a government-issued guide to scan its networks for the hackers.

Salt Typhoon has ensnared major providers and targeted dozens of high-value political figures, including people tied to President-elect Donald Trump. Several hundred organizations were notified of potential compromise, Nextgov/FCW reported Dec. 23.

Neuberger revealed that in one instance, a telecom company’s network used a single administrator account to manage over 100,000 routers. When the hackers breached the account, they were able to access that entire network.  

AT&T and Verizon said this week that their systems are now secured. T-Mobile, another provider previously reported to have been ensnared, said in a blog post that it deterred a hacking attempt from a group but could not definitively say if it was Salt Typhoon.

The U.S. is working on “further actions” to respond to the hacks, Neuberger said. She also noted the General Services Administration is scrutinizing government contracts to strengthen cybersecurity requirements in the federal procurement process. The Commerce Department is also moving to jettison remaining operating units of China Telecom in the U.S., the New York Times reported Dec. 16.

HHS to publish draft rule for new HIPAA regulations

Updated cybersecurity rules under the Health Insurance Portability and Accountability Act will soon require healthcare institutions to encrypt data, monitor for threats and conduct compliance checks.

That’s according to Neuberger, who spoke about the rules on the same call with reporters about recent Salt Typhoon developments. These updates, the first since 2013, aim to protect patient safety and prevent future breaches. HHS will seek public input on the draft rules, which are estimated to cost $9 billion for the first year and $6 billion annually in subsequent years.

Neuberger argued that while those implementation costs are high, the risks of inaction — including threats to critical infrastructure and patient safety — are far greater.

“We see hospitals forced to operate manually. We see Americans’ sensitive healthcare data, sensitive mental health data, sensitive procedures, being leaked on the dark web with the opportunity to blackmail individuals with that,” Neuberger said.

Healthcare cybersecurity has become top-of-mind for the White House this past year after high-profile hacks into UnitedHealth Group’s Change Healthcare unit, as well as Ascension, the Catholic healthcare network that runs hospitals and senior living facilities.

UN adopts cybercrime treaty, despite human rights concerns

The United Nations General Assembly approved a sweeping cybercrime treaty on Christmas Eve, closing a yearslong effort to standardize how nations can collectively respond to and prosecute hackers. 

The adoption paves the way for official signing in Hanoi next year, where it will take effect around three months after being penned. But concerns linger about how the convention may enable authoritarian governments to carry out digital human rights repressions. One industry group, made up of dozens of cyber and tech firms, sounded the alarm about a draft of the treaty in July.

Those industry players, alongside human rights groups and several lawmakers, fear that the treaty would empower foreign adversaries to abuse cross-border intelligence, cyber and surveillance policies for their own domestic repression. Top U.S. officials have acknowledged these concerns but chose to stay in discussion with the pact.

On paper, signatories are not allowed to use the rules to violate human rights. The convention would establish a unified legal framework to enhance international cooperation in prosecuting cybercrimes, enabling member countries like the United States to align their laws for more effective action against criminal hackers.

U.S. finalizes rule to stop Americans’ data from being sold to adversaries

The Justice Department issued a final rule Dec. 27 that establishes new regulations to prevent Americans’ sensitive data from falling into the hands of foreign adversaries.

It’s expected to take effect by spring next year, 90 days after publication in the Federal Register. The rule derives from a February executive order that bars data brokers from selling bulk caches of U.S. persons’ data to multiple foreign countries, including China and Russia.

It focuses on data types like genomics data, biometric identifiers, geolocation information, health data and financial documentation. Adversaries can use such data to intimidate activists, academics, journalists, dissidents and marginalized groups, suppress political opposition, restrict freedoms or facilitate other violations of civil liberties, the department argues.

“This powerful new national-security program is designed to ensure that Americans' personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access,” DOJ assistant attorney General Matthew Olsen said in a statement.